Commit graph

4271 commits

Author SHA1 Message Date
Avraham Stern
891aa65b88 RRM: Use dynamically allocated buffer for beacon report
The maximum required size for each Beacon Report element is known in
advance: it is the size of the Beacon Report element fixed fields + the
size of the Reported Frame Body subelement.

Allocate the buffer used for constructing the Beacon Report element
dynamically with the maximum needed size, instead of using a very
large static buffer.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-03-08 16:05:52 +02:00
Johannes Berg
a1f11e34c4 Use os_memdup()
This leads to cleaner code overall, and also reduces the size
of the hostapd and wpa_supplicant binaries (in hwsim test build
on x86_64) by about 2.5 and 3.5KiB respectively.

The mechanical conversions all over the code were done with
the following spatch:

    @@
    expression SIZE, SRC;
    expression a;
    @@
    -a = os_malloc(SIZE);
    +a = os_memdup(SRC, SIZE);
    <...
    if (!a) {...}
    ...>
    -os_memcpy(a, SRC, SIZE);

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-03-07 13:19:10 +02:00
Kanchanapally, Vidyullatha
af8bc24da3 MBO: Add support for transition reject reason code
Add support for rejecting a BSS transition request using MBO reject
reason codes. A candidate is selected or rejected based on whether it is
found acceptable by both wpa_supplicant and the driver. Also accept any
candidate meeting a certain threshold if disassoc imminent is set in BTM
Request frame.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-07 00:34:14 +02:00
Kanchanapally, Vidyullatha
3ab484928a nl80211: Driver command for checking BTM accept/reject
Add driver interface command using the QCA vendor extensions to check
the driverr whether to accept or reject a BSS transition candidate. For
the reject case, report an MBO reject reason code.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-07 00:20:29 +02:00
Avraham Stern
23cddd7519 wpa_supplicant: Fix non_pref_chan example
The parsing code expects non_pref_chan to be non-quoted.
Fix the example in wpa_supplicant.conf not to include
quotes.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-03-06 23:41:26 +02:00
Hu Wang
57d3c5913a Clear scan_res_handler on no-retry failure
Previously it was possible for wpa_s->scan_res_handler to remain set to
its old value in case wpa_drv_scan() failed and no retry for the scan
trigger was scheduled (i.e., when last_scan_req == MANUAL_SCAN_REQ).
This could result in getting stuck with the next connection attempt
after a failed "SCAN TYPE=ONLY" operation when wpa_s->scan_res_handler
was set to scan_only_handler().

Fix this by clearing wpa_s->scan_res_handler if wpa_drv_scan() fails and
no retry is scheduled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-01 16:39:30 +02:00
Amarnath Hullur Subramanyam
e9518ae749 WFD: Add WFD R2 Subelements
Define and add support for WFD R2 Subelements.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-03-01 11:59:57 +02:00
Jouni Malinen
206516e8c2 af_alg: Crypto wrappers for Linux kernel crypto (AF_ALG)
CONFIG_TLS=linux can now be used to select the crypto implementation
that uses the user space socket interface (AF_ALG) for the Linux kernel
crypto implementation. This commit includes some of the cipher, hash,
and HMAC functions. The functions that are not available through AF_ALG
(e.g., the actual TLS implementation) use the internal implementation
(CONFIG_TLS=internal).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-28 11:24:15 +02:00
Ashwini Patil
dca4b503f1 MBO: Fix minimum length check on non_pref_chan configuration
The reason detail field in non_pref_chan attribute was removed
from MBO draft v0.0_r25. Also oper_class can be 1 character for
few country codes (e.g., country code-UK, channel number-1). So the
shortest channel configuration is 7 characters.

This was missed in the earlier commit
4a83d4b686 ('MBO: Do not add reason_detail
in non_pref_chan attr (STA)') that took care of other changes related to
removal of the reason detail.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:26:22 +02:00
Jouni Malinen
c4bb39707f Fix AES-SIV build dependencies
aes-siv.c needs functions from aes-ctr.c and aes-omac1.c, so set
NEED_AES_CTR=y and NEED_AES_OMAC1=y if NEED_AES_SIV is defined. This
fixes some build configuration combinations where either of those
dependencies were not pulled in through other parameters. For example,
some CONFIG_FILS=y cases were impacted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-26 12:05:40 +02:00
Jouni Malinen
694a3a0d64 mesh: Fix CONFIG_MESH=y build without CONFIG_IEEE80211W=y
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-26 12:05:40 +02:00
Jouni Malinen
88a447556e Fix SELECT_NETWORK freq parameter
This functionality was originally added in commit
204c9ac4ee ('Extend select_network command
with freq= to reduce scan time') re-using wpa_s->manual_scan_freqs and
MANUAL_SCAN_REQ. That got broken when commit
35d403096e ('Set NORMAL_SCAN_REQ on
SELECT_NETWORK/ENABLE_NETWORK') started overriding wpa_s->scan_req for
SELECT_NETWORK.

Fix this by adding a new scan frequency list specifically for
SELECT_NETWORK so that this does not need to depend on any specific
wpa_s->scan_req value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-26 12:05:40 +02:00
Saurav Babu
d02989f2e4 D-Bus: Notify mesh capability if driver supports it
Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-02-26 12:05:40 +02:00
Jouni Malinen
b7286c1b5d FILS: External management of PMKSA cache entry with Cache Identifier
The PMKSA_GET and PMKSA_ADD commands can now use an optional extra
parameter to fetch and add PMKSA cache entries with the FILS Cache
Identifier.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:05:40 +02:00
Jouni Malinen
869af30728 FILS: Use FILS Cache Identifier to extend PMKSA applicability
This allows PMKSA cache entries for FILS-enabled BSSs to be shared
within an ESS when the BSSs advertise the same FILS Cache Identifier
value.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-26 12:05:40 +02:00
Jouni Malinen
6aea02e579 SME: Clear portValid on starting authentication to fix FILS
The ft_completed for FILS authentication case in
wpa_supplicant_event_assoc() depends on something having cleared
portValid so that setting it TRUE ends up authorizing the port. This
clearing part did not happen when using FILS authentication during a
reassociation within an ESS. Fix this by clearing portValid in
sme_send_authentication() just before the keys are cleared (i.e., the
old connection would not be usable anyway).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 12:51:48 +02:00
Jouni Malinen
ba9774bd76 FILS: Fix BSSID in reassociation case
The RSN supplicant implementation needs to be updated to use the new
BSSID whenever doing FILS authentication. Previously, this was only done
when notifying association and that was too late for the case of
reassociation. Fix this by providing the new BSSID when calling
fils_process_auth(). This makes PTK derivation use the correct BSSID.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-21 12:26:57 +02:00
Saurav Babu
213eb18851 dbus: Set mode to mesh in bss properties when mesh is supported
Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-02-20 22:14:19 +02:00
Purushottam Kushwaha
3f23260da8 nl80211: Notify reason for connection timeout failure
This adds reason for timeout in event CTRL-EVENT-ASSOC-REJECT whenever
connection failure happens because of timeout. This extends the
"timeout" parameter in the event to include the reason, if available:
timeout=scan, timeout=auth, timeout=assoc.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-20 10:47:08 +02:00
Peng Xu
d512f406fc hostapd: Add IEEE 802.11ax HE IEs into Beacon/Probe Response frames
IEEE 802.11ax HE changes to include HE IEs in Beacon and Probe Response
frames. These elements are using vendor specific forms for now since the
IEEE 802.11ax draft is not yet finalized and the element contents is
subject to change.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:37:55 +02:00
Peng Xu
94380cb40a hostapd: Initial IEEE 802.11ax (HE) definitions
Add IEEE 802.11ax definitions for config, IEEE structures, and
constants. These are still subject to change in the IEEE process.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-19 17:37:52 +02:00
Masashi Honma
84ea61cffe mesh: Use correct rate in HT and legacy mixed environment
Let mesh STA A be a STA which has config disable_ht=1.
Let mesh STA B be a STA which has config disable_ht=0.
The mesh STA A and B was connected.

Previously, the mesh STA A sent frame with HT rate even though its HT
was disabled. This commit fixes the issue by checking the local BSS HT
configuration.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 16:01:17 +02:00
Masashi Honma
025c6a47fb VHT: Remove a redundant check
This check is already done in ibss_mesh_setup_freq().

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-19 16:01:17 +02:00
Jouni Malinen
c6c41f6ea6 FT: Support addition of RIC elements into Reassociation Request frame
The new "SET ric_ies <hexdump>" control interface command can now be
used to request wpa_supplicant to add the specified RIC elements into
Reassociation Request frame when using FT protocol. This is mainly for
testing purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-18 21:39:01 +02:00
Jouni Malinen
62944f7d2c Add HMAC-SHA384 with internal crypto
This is a copy of the internal HMAC-SHA256 implementation with the hash
block size and output length updated to match SHA384 parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-16 22:15:29 +02:00
Jouni Malinen
3a7819f0ad P2P: Add P2P_SET override_pref_op_chan to allow overriding preference
This new P2P_SET parameter uses <op_class>:<channel> format and is used
mainly for testing purposes to allow overriding the value of the GO
Negotiation Response frame Operating Channel attribute.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 12:08:22 +02:00
Jouni Malinen
c06fca04fd Add wpa_supplicant SET get_pref_freq_list_override
This can be used to override driver get_pref_freq_list() operation for
more convenient testing of preferred frequency list functionality.

Override string format:
<if_type1>:<freq1>,<freq2>,... <if_type2>:...

if_type: 0=STATION, 2=AP, 3=P2P_GO, 4=P2P_CLIENT, 8=TDLS, 9=IBSS

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-16 12:08:22 +02:00
Jouni Malinen
b4d56efb1a Use throughput estimate-based BSS selection with larger SNR difference
Previously, the est_throughput comparison was done only when SNR
difference was less than 5 dB. Since the throughput estimation take into
account SNR, this can be done in more cases. For now, add a conservative
2 dB more to the difference so that any SNR difference below 7 dB
results in BSS selection based on throughput estimates.

In addition, the throughput estimates require SNR values to be
available, so separate this from the 5 GHz preference that can be done
based on either SNR or qual values.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-16 12:05:10 +02:00
Jouni Malinen
1420414878 Drop GREAT_SNR definition from 30 to 25 dB
This allows throughput estimates and 5 GHz preference over 2.4 GHz band
to be used in more cases. The previously used value of 30 was
significantly more conservative than the SNR limits used for the highest
rate in scan_est_throughput() and this resulted in cases where 5 GHz AP
was ignored while SNR with it would have been close to reaching the
maximum TX rate.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-16 11:15:13 +02:00
Jouni Malinen
b5562a1a6e FILS: Remove CRC32 dependency from build
The published P802.11ai version does not use CRC32 anymore, so remove
inclusion of crc32.o into wpa_supplicant and hostapd builds based on
CONFIG_FILS=y.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-13 23:17:31 +02:00
Jouni Malinen
577e794eba Sync android.config with wpa_supplicant defconfig changes
This adds new edits from defconfig to android.config. No new build
options are enabled, i.e., this is only bringing in comment updates and
new parameters in commented out form.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 10:21:56 +02:00
Jouni Malinen
784710b7ff Add bgscan options to wpa_supplicant defconfig
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 10:21:24 +02:00
Jouni Malinen
212a8f487f Fix wpa_supplicant defconfig copy-paste description
This is obviously for the wpa_supplicant binary, not hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-11 10:12:16 +02:00
vamsi krishna
57c3a605ce Add support to sched scan to report relatively better BSSs
Add support to set sched scan relative RSSI parameters so that the
drivers can report BSSs after relative comparision with the current
connected BSS. This feature is applicable only when in connected mode.

The below commands can be used to configure relative RSSI parameters
SET relative_rssi <disable|rssi_value>
	disable - to disable the feature
	rssi_value - amount of relative RSSI in dB
SET relative_band_adjust <band:adjust_value>
	band - "2G" or "5G" for 2.4 GHz or 5 GHz respectively
	adjust_value - amount of RSSI to be adjusted in dB

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:12 +02:00
Paul Stewart
ed9b1c16d5 EAP peer: Cache decrypted requests for EAP-SIM/AKA/AKA'
Add an internal flag which indicates to tunneled EAP methods (FAST,
PEAP, TTLS) that they should cache decrypted EAP-SIM/AKA/AKA' requests.
This allows EAP-SIM/AKA/AKA' to be tunneled within these outer methods
while using an external SIM authenticator over the control interface.

Signed-off-by: Paul Stewart <pstew@google.com>
2017-02-10 19:48:12 +02:00
Jouni Malinen
5f11880f6a SME: Remove null ie param from CTRL-EVENT-AUTH-REJECT
Clean up the event message by removing the ie=<value> parameter when the
IEs are not available instead of printing out "ie=(null)".

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:12 +02:00
Jouni Malinen
4d70b2a4e5 RRM: Fix a memory leak in beacon request handling
Free the pending frequency list if a second beacon request is received
before the scan for the previous one has been completed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-10 19:48:04 +02:00
vamsi krishna
b4fd1f0ed7 Allow PNO scan also in connection completed state
Sched scan is supported by the kernel also in the connected state, so
allow PNO scan to be issued in the connected state from wpa_supplicant
as well.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-08 15:55:35 +02:00
Jouni Malinen
4c6f450cad Add radio_work_is_connect() helper
This avoids duplicated code to check for different types of connection
radio work items.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-07 23:58:56 +02:00
Sunil Dutt
85b6b6b6e1 Serialize scan/p2p-scan if already scheduled on the same interface
The current implementation of QCA vendor scan does not handle the
simultaneous scan/p2p-scan operations on the same interface due to
missing support for tracking multiple scan cookie values. Hence
serialize such operations on the same interface for now.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-07 23:58:55 +02:00
Jouni Malinen
fcb303a57f P2P: Clear driver scan cache after BSS_FLUSH
The only_new_results=1 scan parameter was previously set on other scan
cases, but not on the two P2P specific scan triggers. Set this also for
those P2P cases to get consistent behavior after BSS_FLUSH.

This was showing up with number of hwsim P2P test cases maintaining
unexpected scan results from previous test cases due to the flush
operation not really working correctly since the cfg80211 BSS table was
not explicitly cleared.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-07 22:48:20 +02:00
Vamsi Krishna
1d9d21f376 GAS: Add support to randomize transmitter address
Add support to send GAS requests with a randomized transmitter address
if supported by the driver. The following control interface commands
(and matching configuration file parameters) can be used to configure
different types of randomization:

"SET gas_rand_mac_addr 0" to disable randomizing TX MAC address,
"SET gas_rand_mac_addr 1" to randomize the complete TX MAC address,
"SET gas_rand_mac_addr 2" to randomize the TX MAC address except for OUI.

A new random MAC address will be generated for every
gas_rand_addr_lifetime seconds and this can be configured with
"SET gas_rand_addr_lifetime <timeout>".

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-07 19:41:32 +02:00
Masashi Honma
f3e1570576 VHT: Fill VHT capability with hardware capability
Previously, VHT capability was default value (=0x0000). This makes
VHT Capabilities Info in VHT Capabilities IE in mesh peering
open/confirm frame 0x0000. This patch fills it with hardware capability.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-02-07 11:14:55 +02:00
Günther Kelleter
41f140d386 Add hostapd options wpa_group_update_count and wpa_pairwise_update_count
wpa_group_update_count and wpa_pairwise_update_count can now be used to
set the GTK and PTK rekey retry limits (dot11RSNAConfigGroupUpdateCount
and dot11RSNAConfigPairwiseUpdateCount). Defaults set to current
hardcoded value (4).

Some stations may suffer from frequent deauthentications due to GTK
rekey failures: EAPOL 1/2 frame is not answered during the total timeout
period of currently ~3.5 seconds. For example, a Galaxy S6 with Android
6.0.1 appears to go into power save mode for up to 5 seconds. Increasing
wpa_group_update_count to 6 fixed this issue.

Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
2017-02-07 00:25:36 +02:00
Sunil Dutt
f47f936170 P2P: Override P2P_PEER group_capab with 0 if no matching BSS entry found
Relying on the group_capab from the P2P peer information can result in
improper information on whether the peer is currently operating as a GO.
However, there is a known implementation in Android that does this.

To reduce issues from this misuse in upper layer to try to determine
whether a specific peer is operationg a group, override the group_capab
value in P2P_PEER output with 0 if there are no BSS entries with the
peer P2P Device as a GO. This is not a perfect information since there
may not have been a recent scan on all channels, but this results in
less issues than trying to decide between new group formation and
joining an existing group based on stale or incorrect information.

Since no upper layer application is really supposed to use the
group_capab field value in P2P_PEER command, this change should not
cause any impact for properly design components and the possibility of
regressions is limited to cases that are already known to work
incorrectly in number of identifiable cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-06 12:17:12 +02:00
Jouni Malinen
bcf66493cf Fix estimated throughput based skip-roam case
Commit 8d1e693186 ('Use estimated
throughput to avoid signal based roaming decision') added a check for
the current BSS estimated throughput being significantly higher than the
selected BSS estimated throughput. However, this case for skipping a
roam used "return 1" which actually allows the roam. Fix this by
returning 0 in this case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 21:52:26 +02:00
Jouni Malinen
1fb4437c80 tests: Validate hwaddr/hexstr input to DRIVER_EVENT SCAN_RES
To be more consistent with existing hwaddr_aton() and hexstr2bin()
callers, check the return values in this test command.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-05 16:31:03 +02:00
Jouni Malinen
db5e53cb06 mesh: Fix struct hostapd_data initialization
The local custom version of allocating and initializing struct
hostapd_data within wpa_supplicant_mesh_init() is problematic. This has
already missed couple of initialization steps that are required. Instead
of trying to remember to keep this up to date, use
hostapd_alloc_bss_data() so that there is only one place for this
initialization.

This is fixing a recent issue where FILS HLP started using
hapd->dhcp_server and expected that to be initialized to -1. For the
mesh case, that did not happen and when removing the interface, the FILS
HLP implementation ended up unregistering eloop socket for
hapd->dhcp_server (= 0). This could result in missing socket callbacks
for an arbitrary socket.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-04 22:17:54 +02:00
Jouni Malinen
9b170991ac mesh: Fix mesh interface removal fix
This wpa_drv_if_remove() call was previously modified to fix a different
issue, but that fix resulted in unconditional use of treed memory here
(wpa_supplicant_deinit_iface() frees wpa_s). Make a local copy of
wpa_s->parent to be able to use it after wpa_s is freed. The
mesh_if_created case has wpa_s->parent != wpa_s, so this should be
sufficient way of handling the wpa_drv_if_remove() call here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-02-04 21:24:37 +02:00
Jouni Malinen
124ddfa19e FILS: Parse and report received FILS HLP Containers from response
The new FILS-HLP-RX control interface event is now used to report
received FILS HLP responses from (Re)Association Response frame as a
response to the HLP requests configured with FILS_HLP_REQ_ADD.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-02-01 18:17:39 +02:00
Jouni Malinen
54b04d6f39 FILS: Move HLP request handling into a separate file
This is independent functionality from the core IEEE 802.11 management
handling and will increase significantly in size, so it is cleaner to
maintain this in a separate source code file.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-31 17:46:13 +02:00
Dmitry Shmidt
f2bc344808 wpa_supplicant: Fix global control interface for STA/STA-FIRST/STA-NEXT
update_stations(ctrl_conn) is stuck in never-ending loop:

sendto(3, "STA-FIRST", 9, 0, NULL, 0)   = 9
pselect6(4, [3], NULL, NULL, {10, 0}, NULL) = 1 (in [3], left {9, 999995000})
recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16
sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24
pselect6(4, [3], NULL, NULL, {10, 0}, NULL) = 1 (in [3], left {9, 999995833})
recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16
sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24
pselect6(4, [3], NULL, NULL, {10, 0}, NULL) = 1 (in [3], left {9, 999995000})
recvfrom(3, "UNKNOWN COMMAND\n", 4095, 0, NULL, NULL) = 16
sendto(3, "STA-NEXT UNKNOWN COMMAND", 24, 0, NULL, 0) = 24

Direct STA, STA-FIRST, and STA-NEXT commands from the global control
interface to a per-interface control interface to avoid this.

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2017-01-30 01:54:22 +02:00
Jouni Malinen
0da355235e FST: Remove WPA_ASSERT from wpas_fst_send_action_cb()
It was possible to hit this WPA_ASSERT when FST-MANAGER SESSION_REMOVE
command is exececuted when in not-associated state. In
CONFIG_EAPOL_TEST=y builds, this would result in the wpa_supplicant
process being terminated. Convert this WPA_ASSERT to a check that does
not terminate the process, but only rejects the command if wpa_s->bssid
does not match the da argument.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-29 19:22:14 +02:00
Andrejs Cainikovs
6a5425fd60 Increase delayed EAPOL RX frame timeout
Increase the EAPOL RX frame timeout from 100 to 200 ms. This fixes lack
of optimization (i.e., first EAPOL frame dropped) in occasional roaming
and authentication cases on EAP networks if the kernel events can be
reordered and delayed a bit longer.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
2017-01-29 18:41:29 +02:00
Johannes Berg
cef8fac04b wpa_auth: Make struct wpa_auth_callbacks const
Instead of copying the struct wpa_auth_callbacks, just keep a pointer to
it, keep the context pointer separate, and let the user just provide a
static const structure. This reduces the attack surface of heap
overwrites, since the function pointers move elsewhere.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-29 18:41:26 +02:00
Johannes Berg
30eddf3529 Fix or supress various sparse warnings
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-29 18:33:10 +02:00
Jouni Malinen
b301f54e55 IBSS/mesh: Skip VHT channel setup with vht_disabled=1
If the VHT capability override vht_disabled=1 is used in the network
profile, skip VHT configuration of the local channel.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-29 18:31:54 +02:00
Masashi Honma
adc6a5d81a mesh: Check remote peer HT Operation element
The remote mesh STA which had configuration disable_ht40=1 could have HT
Capabilities element which includes Supported Channel Width Set = 1
(both 20 MHz and 40 MHz operation is supported) even though it had HT
Operation element which includes STA Channel Width = 0 (20 MHz channel
width only). Previously, local peer recognized such a remote peer as 40
MHz band width enabled STA because local peer only checked HT
Capabilities element. This could cause disconnection between
disable_ht40=1 mesh STA and disable_ht40=0 mesh STA. They could
establish a mesh BSS but could not ping with ath9k_htc device. This
commit fixes the issue by refering HT Operation element.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-01-29 18:04:21 +02:00
Masashi Honma
9eb5757a86 Define helper function set_disable_ht40()
This functionality can be used outside wpa_set_disable_ht40(), so move
the generic part to a helper function.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-01-29 18:04:21 +02:00
Saurav Babu
6b585f420a mesh: Fix crash on removing virtual mesh interface
If a virtual mesh interface has been created and is still operational
when the main interface is removed (e.g., Wi-Fi hardware ejected), the
following crash occurred with the below backtrace:

WPA_TRACE: eloop SIGSEGV - START
[1]: /usr/local/sbin/wpa_supplicant() [0x44ef7e]
     eloop_sigsegv_handler() home/saurav/hostap/wpa_supplicant/../src/utils/eloop.c:123
[2]: /lib/x86_64-linux-gnu/libc.so.6(+0x36d40) [0x7f4c395cfd40]
[3]: /usr/local/sbin/wpa_supplicant(wpa_supplicant_remove_iface+0xd0) [0x57f500]
     wpa_supplicant_remove_iface() home/saurav/hostap/wpa_supplicant/wpa_supplicant.c:5338
[4]: /usr/local/sbin/wpa_supplicant() [0x57fbef]
     wpa_supplicant_deinit_iface() home/saurav/hostap/wpa_supplicant/wpa_supplicant.c:5069
[5]: /usr/local/sbin/wpa_supplicant(wpa_supplicant_remove_iface+0xc5) [0x57f4f5]
     wpa_supplicant_remove_iface() home/saurav/hostap/wpa_supplicant/wpa_supplicant.c:5343
[6]: /usr/local/sbin/wpa_supplicant(wpas_dbus_handler_remove_interface+0x8d) [0x55baad]
     wpas_dbus_handler_remove_interface() home/saurav/hostap/wpa_supplicant/dbus/dbus_new_handlers.c:679
[7]: /usr/local/sbin/wpa_supplicant() [0x5560cb]
     msg_method_handler() home/saurav/hostap/wpa_supplicant/dbus/dbus_new_helpers.c:354
     message_handler() home/saurav/hostap/wpa_supplicant/dbus/dbus_new_helpers.c:410
[8]: /lib/x86_64-linux-gnu/libdbus-1.so.3(+0x1be86) [0x7f4c39979e86]
[9]: /lib/x86_64-linux-gnu/libdbus-1.so.3(dbus_connection_dispatch+0x381) [0x7f4c3996ca21]
[10]: /usr/local/sbin/wpa_supplicant() [0x567148]
     dispatch_data() home/saurav/hostap/wpa_supplicant/dbus/dbus_common.c:36
[11]: /usr/local/sbin/wpa_supplicant() [0x5674a7]
     process_watch() home/saurav/hostap/wpa_supplicant/dbus/dbus_common.c:75
     process_watch_read() home/saurav/hostap/wpa_supplicant/dbus/dbus_common.c:90
[12]: /usr/local/sbin/wpa_supplicant() [0x44f297]
     eloop_sock_table_dispatch() home/saurav/hostap/wpa_supplicant/../src/utils/eloop.c:598
[13]: /usr/local/sbin/wpa_supplicant(eloop_run+0x1fe) [0x44ff1e]
     eloop_run() home/saurav/hostap/wpa_supplicant/../src/utils/eloop.c:1219
[14]: /usr/local/sbin/wpa_supplicant(wpa_supplicant_run+0x77) [0x57fd87]
     wpa_supplicant_run() home/saurav/hostap/wpa_supplicant/wpa_supplicant.c:5608
[15]: /usr/local/sbin/wpa_supplicant(main+0x3a8) [0x43ba88]
     main() home/saurav/hostap/wpa_supplicant/main.c:392
WPA_TRACE: eloop SIGSEGV - END
Aborted (core dumped)

Signed-off-by: Saurav Babu <saurav.babu@samsung.com>
2017-01-29 17:42:02 +02:00
Jouni Malinen
5732b770f4 FILS: Allow FILS HLP requests to be added
The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and
FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be
added to the (Re)Association Request frame whenever FILS authentication
is used.

FILS_HLP_REQ_ADD parameters use the following format:
<destination MAC address> <hexdump of payload starting from ethertype>

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-29 14:32:17 +02:00
Jouni Malinen
afe731004b Fix CONFIG_SAE build without CONFIG_SME
The control interface code was using wpa_s->sme in an area that was not
within ifdef CONFIG_SME.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-28 11:58:26 +02:00
Jouni Malinen
34e8bfd7a9 Skip EVENT_ACS_CHANNEL_SELECTED also without CONFIG_AP
CONFIG_ACS alone should not refer to wpa_s->ap_iface to avoid potential
compilation issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-28 11:57:23 +02:00
vamsi krishna
53b38209f4 GAS: Cancel gas_query_timeout when AP responds with comeback delay
When AP responds with comeback delay for initial GAS query sent by STA,
gas_query_timeout should be cancelled to avoid GAS failures when
comeback delay is more than GAS_QUERY_TIMEOUT_PERIOD. The
gas_query_timeout is getting registered again when tx_status is received
for GAS comeback request.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-23 07:02:30 +02:00
Masashi Honma
4d77d80edd mesh: Add MESH_PMKSA_GET/ADD commands
These commnds are mesh version of PMKSA_GET/ADD commands. So the usage
and security risk is similar to them. Refer to
commit 3459381dd2 ('External persistent
storage for PMKSA cache entries') also.

The MESH_PMKSA_GET command requires peer MAC address or "any" as an
argument and outputs appropriate stored PMKSA cache. And the
MESH_PMKSA_ADD command receives an output of MESH_PMKSA_GET and re-store
the PMKSA cache into wpa_supplicant. By using re-stored PMKSA cache,
wpa_supplicant can skip commit message creation which can use
significant CPU resources.

The output of the MESH_PMKSA_GET command uses the following format:
<BSSID> <PMKID> <PMK> <expiration in seconds>

The example of MESH_PMKSA_ADD command is this.
MESH_PMKSA_ADD 02:00:00:00:03:00 231dc1c9fa2eed0354ea49e8ff2cc2dc cb0f6c9cab358a8146488566ca155421ab4f3ea4a6de2120050c149b797018fe 42930
MESH_PMKSA_ADD 02:00:00:00:04:00 d7e595916611640d3e4e8eac02909c3c eb414a33c74831275f25c2357b3c12e3d8bd2f2aab6cf781d6ade706be71321a 43180

This functionality is disabled by default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option.

Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2017-01-14 18:07:46 +02:00
Jouni Malinen
117875db33 D-Bus: Add GroupMgmt entry into the interface Capabilities dict
This can be used to determine whether the driver supports PMF and if so,
with which group management cipher suites. In addition, add the missing
pairwise and group cipher suite values to the documentation while adding
this new entry there as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-14 17:41:20 +02:00
Stijn Tintel
3cdb4ac074 D-Bus: Add pmf to global capabilities
This indicates that the wpa_supplicant binary has been compiled with PMF
support.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-01-14 17:29:22 +02:00
Stijn Tintel
adf8f45f8a D-Bus: Implement Pmf property
The Pmf property is documented in doc/dbus.doxygen, but does not exist,
so implement it.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2017-01-14 17:28:00 +02:00
Jouni Malinen
b98706c14b RSN IBSS: Fix TK clearing on Authentication frame RX
When wpa_supplicant was processing a received Authentication frame (seq
1) from a peer STA for which there was already a TK configured to the
driver, debug log claimed that the PTK gets cleared, but the actual
call to clear the key was actually dropped due to AUTH vs. SUPP set_key
selection. Fix this by explicitly clearing the TK in case it was set
and an Authentication frame (seq 1) is received.

This fixes some cases where EAPOL-Key frames were sent encrypted using
the old key when a peer STA restarted itself and lost the key and had to
re-join the IBSS. Previously, that state required timing out the 4-way
handshake and Deauthentication frame exchange to recover.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-14 13:56:18 +02:00
Johannes Berg
f09095d57b wpa_supplicant: Clarify group_rekey documentation
This is also used in mesh and AP modes.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-01-13 15:05:26 +02:00
Jouni Malinen
8f315d0505 Fix country code in wpa_supplicant AP mode Country element
country[2] needs to be set to ' ' instead of left to '\0' for the case
where wpa_supplicant sets up AP mode operations and includes the Country
element. Currently, this would be only for DFS channels. Without this,
the Beacon frames would go out with incorrect third octet in the country
code.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-13 15:05:26 +02:00
Jouni Malinen
e4a3e1d076 tests: Add DRIVER_EVENT SCAN_RES for scan result testing
This control interface command can be used to inject scan results from
test scripts to make it easier to test various scan result processing
operations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 18:39:24 +02:00
Jouni Malinen
29065686ac D-Bus: Fix BSS Mode getter for invalid DMG BSS
Previous version could have used uninitialized char* when a DMG with
invalid capabilities were added to BSS table from scan results.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 18:39:24 +02:00
Jouni Malinen
2901bc2725 bgscan: Remove unnecessary NULL check
The name argument to bgscan_init() cannot be NULL since the only caller
already checks this before the call.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 14:44:34 +02:00
Jouni Malinen
9d6eaad6b8 bgscan: Remove unnecessary NULL check
bgscan_init() is the only caller for the init() function and the
parameters argument is never NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 12:43:33 +02:00
Jouni Malinen
0f9b4a0f1d bgscan: Deliver beacon loss event to bgscan modules
This adds a call to the notify_beacon_loss() callback functions when
beacon loss is detected. In addition, a new CTRL-EVENT-BEACON-LOSS event
is made available through the wpa_supplicant control interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 12:17:58 +02:00
Jouni Malinen
54736d8358 Store FST parameters to configuration file
This was forgotten when the parameters were added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
35c78f7b97 Store osu_dir to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
1f539c78f4 Store autoscan to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
58ed9e31d1 Store filter_rssi to configuration file
This was forgotten when the parameter was added.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
1fb1bf99d6 Write sec_device_type to configuration file
This is more consistent with other global configuration parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
b4bdeadfaf Make "SET" behavior more consistent for dot11RSNA parameters
These parameters are global configuration parameters for wpa_supplicant
and the special control interface SET command handlers for them were
preventing the configuration update. Make this more consistent by
updating the configuration parameter as well since that is what all the
other SET <global config param> commands do.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
e3394c0e2c Make "SET non_pref_chan .." behavior more consistent
non_pref_chan is a global configuration parameter for wpa_supplicant and
the special control interface SET command handler for it was preventing
the configuration update. Make this more consistent by updating the
configuration parameter as well since that is what all the other SET
<global config param> commands do.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
f8c201862e Fix cert_in_cb parsing in wpa_supplicant.conf
Commit 483dd6a5e0 ('Include peer
certificate always in EAP events') added this wpa_supplicant global
configuration parameter, but forgot to add the actual parsing of it, so
there was no way of setting the value.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
9284418d00 Fix writing of wpa_supplicant sae_groups configuration parameter
This integer array is zero terminated, so need to check the value is
greater than 0 when writing the parameter.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-08 00:10:57 +02:00
Jouni Malinen
7ba94fc4b0 RRM: Use wpa_hexdump_buf() instead of wpa_hexdump()
Simplify the code a bit by using the appropriate debugging function to
dump a wpabuf contents.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 18:47:37 +02:00
Jouni Malinen
33468e5320 RRM: Document Link Measurement Report frame construction steps
Add a comment to note which fields are expected to be updated by the
driver. In addition, reorder subfield writing to match the order in
which the fields are in the frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 18:17:59 +02:00
Jouni Malinen
40e9a3f326 RRM: Fix beacon report scan channels for VHT 80, 80+80, 160 MHz cases
ieee80211_chan_to_freq() is not really meant for conversion of 20 MHz
primary channel numbers for wider VHT channels, so handle those as
special cases here for now.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 12:49:48 +02:00
Jouni Malinen
5cda350896 RRM: Move wpabuf_resize() call into wpas_rrm_report_elem()
wpabuf_resize() can handle the initial allocation of a wpabuf and all
the other callers of wpas_rrm_report_elem() were already using a pointer
to a pointer and a wpabuf_resize() call. Simplify this by resizing the
wpabuf (if needed) within wpas_rrm_report_elem() instead of having to
calculate the needed size in all the callers. Thsi is also fixing one of
the allocation sizes to use the correct size instead of a size of a
struct that has nothing to do with the allocation (but is larger than
the needed five octets, so does not break anything).

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 12:13:20 +02:00
Jouni Malinen
f2058f4afa RRM: Remove unnecessary cb check
There is only a single caller for wpas_rrm_send_neighbor_rep_request()
and it unconditionally uses a callback function, so cb cannot be NULL
here and there is no need for additional complexity and extra code size
to check for it explicitly.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-07 12:11:49 +02:00
Beni Lev
e72faadb49 bgscan_simple: Fix short_scan_count comparison
Previously, the check was done after we reached the maximum and another
scan was already triggered.

While at it, remove an irrelevant comment that the previous change in
the logic here missed.

Signed-off-by: Beni Lev <beni.lev@intel.com>
2017-01-05 16:36:14 +02:00
Purushottam Kushwaha
c167662d73 eap_proxy: On SIM error flush PMKSAs only for SIM/AKA/AKA' networks
Previously, SIM state change with SIM_STATE_ERROR cleared all PMKSA
entries (including non-SIM networks). Limit this to networks which use
SIM-based authentication methods to avoid unnecessarily removal of PMKSA
entries.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-04 21:56:43 +02:00
Jouni Malinen
6657bb158b Fix OOM handling in neighbor report response handling
The pending neighbor report state needs to be cleared on error path here
to avoid getting stuck with being unable to perform any additional
neighbor reports during the association.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-03 19:53:03 +02:00
Jouni Malinen
7187e20930 Allow LCI request with no subelements
Allow shorter request since the subelements are optional to include.
Also print the hexdump of the subelements into debug log.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-03 19:53:03 +02:00
Jouni Malinen
d734201435 RRM: Enable beacon report with active/passive scan for all drivers
The requested behavior can be approximated for most use cases even if
the driver does not support reporting exact TSF values for frames.
Enable this capability for all drivers to make beacon report processing
more useful for a common use case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 19:53:03 +02:00
Jouni Malinen
de6ec8b558 Enable Beacon Report using beacon table for all drivers
The special parameters for beacon report scan are not needed for the
beacon report when using the beacon table measurement mode. Advertise
support for this case regardless of whether the driver supports the scan
parameters.

Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 16:02:56 +02:00
Jouni Malinen
6774c6a9fe Update copyright notices for the new year 2017
Signed-off-by: Jouni Malinen <j@w1.fi>
2017-01-03 15:18:30 +02:00
Avraham Stern
76196ddb2b wpa_supplicant: Add support for Beacon Report Radio Measurement
Beacon Report Radio Measurement is defined in IEEE Std 802.11-2016,
11.11.9.1. Beacon Report is implemented by triggering a scan on the
requested channels with the requested parameters.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:30 +02:00
Avraham Stern
b3060bf99f common: Add helper function to convert RSSI to RCPI
This conversion will be done several times in the code, so add a helper
function that does this conversion.

Signed-off-by: Avrahams Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Avraham Stern
1ac4dba31a wpa_supplicant: Extend verify_channel() and make it global
Extend verify_channel() to return whether IR is allowed on the channel
or not, and make it a global function so it can be used in other files,
too. This makes this function useful for checking not only if a channel
is supported but also if it is allowed for active and passive scan.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Avraham Stern
c16b9f8d33 driver: Add scan support to beacon report
Add the following parameters to scan request:
 1. Dwell time on each channel.
 2. Whether the specified dwell time is mandatory.

In addition, add to scan results info the time that the scan actually
started, and to each scan result the time the beacon/probe was received,
both in terms of TSF of the BSS that the interface that requested the
scan is connected to (if available).

Add flags to indicate whether the driver supports dwell time
configuration and scan information reporting.

This scan configuration and information is required to support beacon
report radio measurement.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Avraham Stern
3c716fdbd7 wpa_supplicant: Refactor wpas_rrm_build_lci_report()
1. Change the return type to reflect whether building the report
   succeeded or failed.
2. Change argument type to rrm_measurement_request_element instead
   of raw packet data to ease processing the request.
3. Use already existing function to create the measurement report
   and add it to the report buffer.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Avraham Stern
e1b96e1126 wpa_supplicant: Send rejection for unsupported radio measurements
Send measurement report with the mode field set to incapable in response
to measurement requests with unsupported measurement types.

In addition, measurements requests that request parallel measurements
are rejected since these features are not supported.

Measurement request frames with the enable bit set are ignored since
these are not really requesting measurements and are not supported for
now.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Avraham Stern
0c73e410d6 wpa_supplicant: Limit RRM response size to MMPDU size
The length of a Measurement Report frame should be limited by the
maximum allowed MMPDU size (IEEE Std 802.11-2016, 9.6.2.3). Enforce this
size limit, and in case the report elements are longer than the allowed
size, split them between several MPDUs.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Avraham Stern
9664ab8b71 wpa_supplicant: Refactor Radio Measurement Request handling
Extract the code dealing with processing the measurement request
elements to a separate function. This will be needed for beacon report
requests processing.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Avraham Stern
332bf5d3fc wpa_supplicant: Validate RRM request frame format
RRM request frame should contain only information elements of type Radio
Measurement Request. Go through all the frame and validate that only
elements of this type are included.

In addition, if a truncated element is encountered, or the element
length field indicates that the element length is more than the
entire frame, abort the request.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Avraham Stern
ec493469f6 wpa_supplicant: Move RRM implementation to a dedicated file
As support for new RRM measurements will be added, the RRM
implementation will become quite large, so move it to a dedicated file.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
2017-01-03 15:18:29 +02:00
Jouni Malinen
6a31440b86 Fix LCI request subelement processing
Commit 4a742011ab ('wpa_supplicant: Handle
LCI request') introduced LCI request parsing in a manner that
incremented the request pointer by four within
wpas_rrm_build_lci_report() without decrementing len correspondingly.
This could potentially result in get_ie() reading four octets beyond the
buffer if a corrupted request is received. This would be applicable only
if the LCI reporting was enabled explicitly ("SET LCI ..." control
interface command).

Fix this by updating the len variable to match the request pointer
changes.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2017-01-03 15:18:29 +02:00
Masashi Honma
ce691a8d96 Add CONFIG_MESH into wpa_supplicant defconfig
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-12-30 23:59:47 +02:00
Masashi Honma
67129ab9ec wpa_cli: Add commands to use PMKSA_GET/ADD
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
2016-12-30 23:59:34 +02:00
Badrish Adiga H R
65dfa87286 mka: Make MKA actor priority configurable
This adds a new wpa_supplicant network profile parameter
mka_priority=0..255 to set the priority of the MKA Actor.

Signed-off-by: Badrish Adiga H R <badrish.adigahr@gmail.com>
2016-12-25 11:41:46 +02:00
Jouni Malinen
77fcbf7ff1 D-Bus: Use a helper function to get possibly NULL strings
This type of check is used in quite a few getter functions, so add a
helper function to take care of it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-23 21:28:43 +02:00
Avichal Agarwal
dbf524946b D-Bus: Add DeviceType in WPS property
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
2016-12-23 21:28:43 +02:00
Avichal Agarwal
266097fdad D-Bus: Add device serial number in WPS property
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
2016-12-23 11:02:43 +02:00
Avichal Agarwal
3ee6a3ab35 D-Bus: Add model number in WPS property
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
2016-12-23 10:59:53 +02:00
Avichal Agarwal
ae66822cd8 D-Bus: Add WPS model name as property
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2016-12-23 10:59:53 +02:00
Avichal Agarwal
318d4b5beb D-Bus: Add WPS manufacturer as property
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
2016-12-23 10:59:50 +02:00
Avichal Agarwal
b20f031c68 D-Bus: Add WPS device name as property
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
2016-12-23 10:51:09 +02:00
Sunil Dutt
4a45dc1921 mesh: Show [MESH] flag in print_bss_info()
This was previously done for SCAN_RESULTS, but the BSS control interface
command did not show a similar flag. In addition, change "WPA2" to "RSN"
for mesh BSS to be consistent with the SCAN_RESULTS output.

Commit 638d945679 ('mesh: Show [MESH] flag
in scan results') did similar changes for SCAN_RESULTS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-22 14:11:02 +02:00
Joel Cunningham
9187b13adb wpa_supplicant: Add BSS CURRENT control interface command
This commit extends the BSS commands to include "BSS CURRENT" as a way
to get the current BSS without having to walk the BSS list matching
against BSSID+SSID returned from the STATUS command.

This returns the BSS stored in wpa_s->current_bss.

Signed-off-by: Joel Cunningham <joel.cunningham@me.com>
2016-12-21 12:42:20 +02:00
Purushottam Kushwaha
a6f3761f7d eap_proxy: Add support for SIM state change indication from eap_proxy
This registers a new callback to indicate change in SIM state. This
helps to do some clean up (more specifically pmksa_flush) based on the
state change of the SIM. Without this, the reconnection using the cached
PMKSA could happen though the SIM is changed.

Currently eap_proxy_sim_state corresponds to only SIM_STATE_ERROR. This
can be further extended.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-19 22:21:07 +02:00
Amit Purwar
4e118c847b D-Bus: Add 'freq' option to P2P Find method to specify starting channel
This allows user to start P2P Find/Scan on a particular frequency and
then move to scanning social channels. This support is already present
on control socket.

Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
2016-12-19 13:09:31 +02:00
Mikael Kanstrup
dfc7731729 Android: Add p2p_add_cli_chan=1 option
Add p2p_add_cli_chan=1 option to p2p_supplicant.conf to allow Wi-Fi P2P
operating as P2P client on passive scan channels.

In addition, add p2p_add_cli_chan=1 option to wpa_supplicant.conf to
have consistency in P2P channel list. There is a case where P2P channel
list is updated with different channels from p2p0 and wlan0.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
2016-12-18 17:56:17 +02:00
Badrish Adiga H R
7508c2ad99 PAE: Make KaY specific details available via control interface
Add KaY details to the STATUS command output.

Signed-off-by: Badrish Adiga H R <badrish.adigahr@hpe.com>
2016-12-18 17:47:05 +02:00
Jouni Malinen
b54f43390e FILS: Make FILS Indication element information available in BSS output
This extends wpa_supplicant BSS command to parse FILS Indication
element.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 11:41:59 +02:00
Jouni Malinen
9cad618679 FILS: Add Realm Information ANQP-element in BSS data
Add a named BSS command output entry for FILS Realm Information
ANQP-element (anqp_fils_realm_info).

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 11:41:51 +02:00
Jouni Malinen
aaa9c60bc2 Fix preauth_test build by updating add_pmkid/remove_pmkid callbacks
Commit c579312736 ('Add
PMKSA-CACHE-ADDED/REMOVED events to wpa_supplicant') added new arguments
to these callback functions, but forgot to update the implementations in
preauth_test.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-14 16:38:44 +02:00
Jouni Malinen
19810d29bc Make Beacon IEs available in wpa_supplicant BSS command
This makes both the Probe Response and Beacon frame IEs available to
upper layers if scan results include both IE sets. When the BSS command
mask includes WPA_BSS_MASK_BEACON_IE, a new beacon_ie=<hexdump> entry
will be included in output if the BSS entry has two separate sets of IEs
(ie=<hexdump> showing the Probe Response frame contents and
beacon_ie=<hexdump> the Beacon rame contents).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 20:07:52 +02:00
Jouni Malinen
274e76f22f mesh: Fix channel configuration in pri/sec switch case
If 20/40 MHz co-ex scan resulted in switching primary and secondary
channels, mesh setup failed to update the frequency parameters for
hostapd side configuration and that could result in invalid secondary
channel configuration preventing creating of the mesh network. This
could happen, e.g., when trying to set up mesh on 5 GHz channel 36 and
co-ex scan finding a BSS on channel 40. Switching the pri/sec channels
resulted in hostapd code trying to check whether channel 32 is
available. Fix this by swapping the channels for hostapd configuration
when needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 15:25:52 +02:00
Jouni Malinen
3459381dd2 External persistent storage for PMKSA cache entries
This adds new wpa_supplicant control interface commands PMKSA_GET and
PMKSA_ADD that can be used to store PMKSA cache entries in an external
persistent storage when terminating a wpa_supplicant process and then
restore those entries when starting a new process. The previously added
PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing
the external storage with the memory-only volatile storage within
wpa_supplicant.

"PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to
a specific network profile. The network_id of the current profile is
available with the STATUS command (id=<network_id). In addition, the
network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The
output of the PMKSA_GET command uses the following format:

<BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds>
<akmp> <opportunistic>

For example:

02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0
02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0

The PMKSA_GET command uses the following format:

<network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration
in seconds> <akmp> <opportunistic>

(i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET
output data; however, the reauth_time and expiration values need to be
updated by decrementing them by number of seconds between the PMKSA_GET
and PMKSA_ADD commands)

For example:

PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0
PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0

This functionality is disabled be default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be
noted that this allows any process that has access to the wpa_supplicant
control interface to use PMKSA_ADD command to fetch keying material
(PMK), so this is for environments in which the control interface access
is restricted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 23:47:04 +02:00
Jouni Malinen
c579312736 Add PMKSA-CACHE-ADDED/REMOVED events to wpa_supplicant
These allow external program to monitor PMKSA cache updates in
preparation to enable external persistent storage of PMKSA cache.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 21:00:43 +02:00
Avichal Agarwal
5149a0f04c P2P: Set p2p_persistent_group=1 at the time of reading disabled=2
Configuration file network block with disabled=2 is used for storing
information about a persistent group, so p2p_persitent_group should be
updated according to this when creating a struct wpa_ssid instance. This
will end up using D-Bus persistent network object path for the network.

Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
Signed-off-by: Kyeong-Chae Lim <kcya.lim@samsung.com>
2016-12-12 20:30:31 +02:00
vamsi krishna
065c029a55 Remove MBO dependency from Supported Operating Classes element
Supported Operating Classes element and its use is define in the IEEE
802.11 standard and can be sent even when MBO is disabled in the build.
As such, move this functionality out from the CONFIG_MBO=y only mbo.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-11 22:07:58 +02:00
Jouni Malinen
a5c723adcf Interworking: Clear SCANNING state if no network selected
Commit 192ad3d730 ('Interworking: Clear
SCANNING state if no match found') did this for the case where no
network matched credentials, but left the SCANNING state in place if
there were a match, but automatic connection was not enabled. Extend
this to cover the case where INTERWORKING_SELECT is not followed by a
connection attempt so that wpa_state is not left indefinitely to
SCANNING.

This fixes a hwsim test case failure in the following sequence:
ap_anqp_sharing scan_trigger_failure

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 18:39:12 +02:00
Jouni Malinen
a1836de64b SME: Fix IBSS setup after shared key/FT/FILS association
wpa_s->sme.auth_alg could have been left to a previously value other
than WPA_AUTH_ALG_OPEN if IBSS network is used after an association that
used shared key, FT, or FILS authentication algorithm. This could result
in the IBSS setup failing due to incorrect authentication processing
steps.

Fix this by setting wpa_s->sme.auth_alg = WPA_AUTH_ALG_OPEN whenever
starting an IBSS (or mesh, for that matter) network.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 18:23:13 +02:00
Amit Purwar
f49c852b5e P2P: Fix a theoretical out of bounds read in wpas_p2p_select_go_freq()
Commit 8e84921efe ('P2P: Support driver
preferred freq list for Autonomous GO case') introduced this loop to go
through preferred channel list from the driver. The loop does bounds
checking of the index only after having read a value from the array.
That could in theory read one entry beyond the end of the stack buffer.

Fix this by moving the index variable check to be done before using it
to fetch a value from the array.

This code is used only if wpa_supplicant is build with
CONFIG_DRIVER_NL80211_QCA=y and if the driver supports the vendor
extension (get_pref_freq_list() driver op). In addition, the driver
would need to return more than P2P_MAX_PREF_CHANNELS (= 100) preferred
channels for this to actually be able to read beyond the buffer. No
driver is known to return that many preferred channels, so this does not
seem to be reachable in practice.

Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
2016-12-11 12:45:08 +02:00
Amit Purwar
944d485889 P2P: Fix a theoretical out of bounds read in wpas_p2p_setup_freqs()
Commit 370017d968 ('P2P: Use preferred
frequency list from the local driver') introduced this loop to go
through preferred channel list from the driver. The loop does bounds
checking of the index only after having read a value from the array.
That could in theory read one entry beyond the end of the stack buffer.

Fix this by moving the index variable check to be done before using it
to fetch a value from the array.

This code is used only if wpa_supplicant is build with
CONFIG_DRIVER_NL80211_QCA=y and if the driver supports the vendor
extension (get_pref_freq_list() driver op). In addition, the driver
would need to return more than P2P_MAX_PREF_CHANNELS (= 100) preferred
channels for this to actually be able to read beyond the buffer. No
driver is known to return that many preferred channels, so this does not
seem to be reachable in practice.

Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
2016-12-11 12:45:08 +02:00
Jouni Malinen
6e374bd44d Ignore scan results from ongoing scan when FLUSH command is issued
This makes wpa_supplicant behavior more consistent with FLUSH command to
clear all state. Previously, it was possible for an ongoing scan to be
aborted when the FLUSH command is issued and the scan results from that
aborted scan would still be processed and that would update the BSS
table which was supposed to cleared by the FLUSH command.

This could result in hwsim test case failures due to unexpected BSS
table entries being present after the FLUSH command.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 12:45:08 +02:00
Jouni Malinen
71ac934530 Make update_idx available in BSS control interface command
This can be used to perform more accurate tests on BSS entry updates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-10 17:03:24 +02:00
Jouni Malinen
5ec3d510e1 wpa_passphrase: Reject invalid passphrase
Reject a passphrase with control characters instead of trying to write
out an example network configuration block with such control characters
included.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-05 15:36:56 +02:00
Arik Nemtsov
57f93d6889 Defer scans while PNO is in progress instead of skipping them
Skipping the scan altogether will hurt auto-reconnect. Also move the PNO
check down since the scan might be canceled for other reasons before we
defer it.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2016-12-04 20:27:06 +02:00
Jouni Malinen
cfadab269f nl80211: Move duplicate scan result removal to bss.c
The way the removal of duplicated (one per frequency) BSS entries in the
cfg80211 scan results were removed in driver_nl80211_scan.c
bss_info_handler() depended on having the full scan results available to
allow iteration through the other entries. This is problematic for the
goal of being able to optimize memory allocations for scan result
fetching in a manner that would not build the full result buffer in
memory.

Move this duplicate removal into bss.c since it has sufficient
information available for doing the same determination of which one of
two BSS entries is more current.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 19:26:47 +02:00
Jouni Malinen
865081c307 privsep: Support frequency list for scan requests
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:27:16 +02:00
Jouni Malinen
da818ee5e9 privsep: Support multiple scan SSIDs
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:17:28 +02:00
Jouni Malinen
d3c43e5855 privsep: Fix scan result fetching with Beacon frame IEs
wpa_priv did not yet support Beacon frame IEs (res->beacon_ie_len) which
resulted in invalid scan data being accepted in driver_privsep.c. Add
support for res->beacon_ie_len and also fix the validation step to take
this new variable length field into account.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:02:49 +02:00
Jouni Malinen
0771e912ae wpa_priv: Document reduced functionality
wpa_priv has never really been fully up-to-date with the wpa_supplicant
driver interface extensions. This does not seem like something that
would change in the future either, so document this reduced
functionality as a potential drawback.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:49:37 +02:00
Jouni Malinen
6d97561dcd wpa_priv: Handler driver global_deinit() on termination path
This avoids a theoretical resource leak on exit path if wpa_priv is
killed while there is a wpa_supplicant process using it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:46:08 +02:00
Jouni Malinen
ce0f899a3d wpa_priv: Explicitly clear padding in message structures
This avoids some valgrind warnings about use of uninitialized memory in
cases where a struct may have padding octets between the fields.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:46:08 +02:00
Jouni Malinen
e0641772a3 wpa_priv: Use fromlen instead sizeof(struct sockaddr_un)
This gets rid of some dependencies on how extra octets at the end of the
struct sockaddr_un get "uninitialized" consistently by only using the
exact length of the address data from the recvfrom() call. This resolves
number of valgrind warnings about use of uninitialized memory.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:28:18 +02:00
Jouni Malinen
128d3c69fc wpa_priv: Add support for multiple l2_packet connections
This is needed to be able to work with many wpa_supplicant use cases,
e.g., due to use of TDLS or RSN pre-authentication needing a separate
l2_packet socket.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 11:37:41 +02:00