Fix possible memory leak in case if WPS is not enabled on the interface
for connection. This path was missed in commit
fae7b37260 ('WPS: Do not expire probable
BSSes for WPS connection').
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When the BSS count reaches max_bss_count, the oldest BSS will be removed
in order to accommodate a new BSS. Exclude WPS enabled BSSes when going
through a WPS connection so that a possible WPS candidate will not be
lost.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ditch the legacy syntax and manual engine mangling and just give an
example using simple PKCS#11 URIs that'll work with both GnuTLS and
OpenSSL.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies
that the wildcard BSSID value is used in Public Action frames that are
transmitted to a STA that is not a member of the same BSS.
wpa_supplicant used to use the actual BSSID value for all such frames
regardless of whether the destination STA is a member of the BSS.
P2P does not follow this rule, so P2P Public Action frame construction
must not be changed. However, the cases using GAS/ANQP for non-P2P
purposes should follow the standard requirements.
Unfortunately, there are deployed AP implementations that do not reply
to a GAS request sent using the wildcard BSSID value. The previously
used behavior (Address3 = AP BSSID even when not associated) continues
to be the default, but the IEEE 802.11 standard compliant addressing
behavior can now be configured with gas_address3=1.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows minimal testing with 160 MHz channel with country code ZA
that happens to be the only one with a non-DFS 160 MHz frequency. DFS
with mesh is not yet supported.
Signed-off-by: Jouni Malinen <j@w1.fi>
ssid->frequency cannot be 0 in wpa_supplicant_mesh_init() since
wpas_supplicant_join_mesh() rejects such a configuration.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds the necessary changes to support extraction and use of the
extended capabilities specified per interface type (a recent
cfg80211/nl80211 extension). If that information is available,
per-interface values will be used to override the global per-radio
value.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add a new "timeout" argument to the event message if the nl80211 message
indicates that the connection failure is not due to an explicit AP
rejection message. This makes it easier for external programs to figure
out why the connection failed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_deinit() got called twice if the random_get_bytes() fails to
generate the MGTK. This resulted in double-freeing the rsn->auth
pointer. Fix this by allowing mesh_rsn_auth_init() handle freeing for
all error cases.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds an extra parameter in GroupStarted signal to indicate whether
the created group is Persistent or not. It is similar to the
[PERSISTENT] tag which comes in P2P-GROUP-STARTED over the control
interface.
Signed-off-by: Nishant Chaprana <n.chaprana@samsung.com>
Instead of reporting the memory allocation failure and stopping, run the
scan even if the frequency list cannot be created due to allocation
failure. This allows the wpa_s->reattach flag to be cleared and the scan
to be completed even if it takes a bit longer time due to all channels
getting scanned.
Signed-off-by: Jouni Malinen <j@w1.fi>
If preassoc_mac_addr is used and updating the MAC address fails in
wpas_trigger_scan_cb(), the cloned scan parameters were leaked. Fix that
and also send a CTRL-EVENT-SCAN-FAILED event in this and another error
case.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to have a separate if statement to skip the cases where
phase1 is not set. Just check it with the strstr comparison since this
case is not really used in practice.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_s->current_ssid is set to a non-NULL ssid pointer value here, so
there is no need for the extra if statement.
Signed-off-by: Jouni Malinen <j@w1.fi>
The P2P Device interface can only send Public Action frames. Non-Public
Action frames must be sent over a group interface. The previous
implementation sometimes tried to send non-Public Action frames such as
GO Discoverability over the P2P Device interface, however, the source
address of the frame was set to the group interface address so the code
in offchannel.c knew to select the correct interface for the TX.
The check breaks when the P2P Device and group interfaces have the same
MAC address. In this case the frame will be sent over the P2P Device
interface and the send will fail.
Fix this problem in two places:
1. In offchannel, route non-Public Action frames to the GO
interface when the above conditions are met.
2. When a TX_STATUS event arrives on such routed frame, it will
arrive on the GO interface but it must be handled by the P2P Device
interface since it has the relevant state logic.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
This allows using P2PS config method with or without PIN for connection.
wpa_supplicant should internally handle the default PIN "12345670" and
shall also allow connection irrespective of PIN used in P2P_CONNECT.
For example,
1. P2P_CONNECT 02:2a:fb:22:22:33 p2ps
2. P2P_CONNECT 02:2a:fb:22:22:33 xxxxxxxx p2ps
Where the second one is maintained for backwards compatibility.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
work->type was pointing to the allocated work->ctx buffer and the debug
print in radio_work_free() ended up using freed memory if a started
external radio work was removed as part of FLUSH command operations. Fix
this by updating work->type to point to a constant string in case the
dynamic version gets freed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Add a new parameter wps_disabled to network block (wpa_ssid). This
parameter allows WPS functionality to be disabled in AP mode.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
While this is unlikely to make any practical difference, it is better to
keep consistent with hostapd configuration parser.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the network profile key_mgmt parameter was not set, wpa_supplicant
defaulted to enabling both WPA-PSK and WPA-EAP. This is not correct for
AP mode operations, so remove WPA-EAP in such a case to fix WPA-PSK
without explicit key_mgmt parameter.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant was starting P2P group processing for all AP mode
interfaces in CONFIG_P2P=y builds. This is unnecessary and such
operations should be enabled only for actual GO interfaces.
Signed-off-by: Jouni Malinen <j@w1.fi>
The NL80211_CMD_WIPHY_REG_CHANGE can be handled by any of the
interfaces that are currently controlled by the wpa_supplicant.
However, some applications expect the REGDOM_CHANGE event to be
sent on the control interface of the initially added interface
(and do not expect the event on any of child interfaces).
To resolve this, when processing NL80211_CMD_WIPHY_REG_CHANGE,
find the highest parent in the chain, and use its control interface
to emit the CTRL-EVENT-REGDOM-CHANGE event.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This makes it easier to write hwsim test cases to verify management
frame processing sequences with dropped or modified frames. When
ext_mgmt_frame_handling is used, this new command can be used to request
wpa_supplicant to process a received a management frame, e.g., based on
information reported in the MGMT-RX events.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
IEEE Std 802.11-2012 13.5.6.3 State transitions require an action
sending SETKEYS primitive to MAC when OPN_ACPT event occurs in CNF_RCVD
state in case of AMPE is used, but since MTK calculation is missed in
this condition, all zero valued key are passed to MAC and cause unicast
packet decryption error. This could happen if the first transmission of
plink Open frame is dropped and Confirm frame is processed first
followed by retransmitted Open frame.
Fix this by calculating the MTK also in this sequence of unexpected
messages.
Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
IEEE Std 802.11-2012 Table 13-2, MPM finite state machine requires to
clear retryTimer when CNF_ACPT event occurs in OPN_SNT state which is
missing, so add it to comply with the standard.
This was found while debugging an MTK issue and this commit fixes a
potential issue that mesh sends invalid event (PLINK_OPEN) which will
lead another invalid timer register such as MeshConfirm Timer. This
behaviour might lead to undefined mesh state.
Signed-off-by: Peter Oh <poh@qca.qualcomm.com>
Instead of hardcoding "ad-hoc" in the array of supported capabilities,
add this only if the driver indicates support for IBSS.
Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
wpas_ap_pmksa_cache_list() and wpas_ap_pmksa_cache_flush() should be
under the #ifdef since they're only called for the control iface and
use functionality that otherwise isn't available.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Since ieee80211w=2 is an explicit configuration to wpa_supplicant, the
connection attempt for such non-PMF (non-RSN) capable networks should be
skipped.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
PMF is available only with RSN and pmf=2 could have prevented open
network connections. Change the global wpa_supplicant pmf parameter to
be interpreted as applying only to RSN cases to allow it to be used with
open networks.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Many of the global configuration parameters are written as strings
without filtering and if there is an embedded newline character in the
value, unexpected configuration file data might be written.
This fixes an issue where wpa_supplicant could have updated the
configuration file global parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the value of a parameter before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Most of the cred block parameters are written as strings without
filtering and if there is an embedded newline character in the value,
unexpected configuration file data might be written.
This fixes an issue where wpa_supplicant could have updated the
configuration file cred parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the credential value before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Spurious newlines output while writing the config file can corrupt the
wpa_supplicant configuration. Avoid writing these for the network block
parameters. This is a generic filter that cover cases that may not have
been explicitly addressed with a more specific commit to avoid control
characters in the psk parameter.
Signed-off-by: Paul Stewart <pstew@google.com>
WPA/WPA2-Personal passphrase is not allowed to include control
characters. Reject a passphrase configuration attempt if that passphrase
includes an invalid passphrase.
This fixes an issue where wpa_supplicant could have updated the
configuration file psk parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the passphrase value before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject up to 63 characters of
almost arbitrary data into the configuration file. Such configuration
file could result in wpa_supplicant trying to load a library (e.g.,
opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
load_dynamic_eap) from user controlled location when starting again.
This would allow code from that library to be executed under the
wpa_supplicant process privileges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
When the P2P Device interface is used and an existing interface is used
for P2P GO/Client, the P2P Device configuration was not cloned to the
configuration of the existing interface. Thus, configuration parameters
such as idle_group_time, etc., were not propagated to the P2P GO/Client
interface.
Handle this by copying all configuration parameters of the P2P device
interface to the reused interface, with the following exceptions:
1. Copy the NFC key data only if it was not set in the configuration
file.
2. The WPS string fields are set only if they were not previously set
in the configuration of the destination interface (based on the
assumption that these fields should be identical among all
interfaces).
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Use the p2pdev pointer instead of the parent pointer to comply with the
flows when a dedicated P2P Device interface is used and
p2p_no_group_iface == 1 (in which case the parent of the reused
interface isn't necessary the same as p2pdev).
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
On receiving a WNM BSS Transition Management Request frame with a
candidate list, fetch the latest scan results from the kernel to see if
there are any recent scan results for the candidates and initiate a
connection if found. This helps to avoid triggering a new scan in cases
where a scan initiated by something else (e.g., an internal beacon
measurement report functionality in a driver) has processed Beacon or
Probe Response frames without wpa_supplicant having received a
notification of such an update yet.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
systemd service files were supplied with old D-Bus bus name. After
service activation systemd was waiting for appearance of specified bus
name to consider it started successfully. However, if wpa_supplicant was
compiled only with the new D-Bus interface name, systemd didn't notice
configured (old) D-Bus bus name appearance. In the end, service was
considered malfunctioning and it was deactivated.
Update systemd service BusName property according to supported D-Bus
interface version.
Signed-off-by: Marcin Niestroj <m.niestroj@grinn-global.com>
This allows local GO to fetch the P2P Interface Address of a P2P Client
in the group based on the P2P Device Address for the client. This
command should be sent only on a group interface (the same peer may be
in multiple concurrent groups).
Usage:
P2P_GROUP_MEMBER <P2P Device Address>
Output:
<P2P Interface Address>
Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Trigger an event when wpa_supplicant accepts an invitation to re-invoke
a persistent group. Previously wpa_supplicant entered group formation
without triggering any specific events and it could confuse clients,
especially when operating with a driver that does not support
concurrency between P2P and infrastructure connection.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Parse a received neighbor report and report for each neighbor report the
data received for it:
RRM-NEIGHBOR-REP-RECEIVED bssid=<BSSID> info=0x<hex> op_class=<class> chan=<chan> [lci=hex] [civic=hex]
Note that this modifies the previous format that originally reported
only the length of the received frame.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Handle radio measurement request that contains LCI request. Send
measurement report based on a configurable LCI report element. The LCI
report element is configured over the control interface with
SET lci <hexdump of the element>
and cleared with
SET lci ""
Signed-off-by: David Spinadel <david.spinadel@intel.com>