Stop the pending P2P_LISTEN operation priot to issuing P2P_GROUP_ADD to
start a GO. This avoids excessively long wait for the previous Listen
step to complete before being able to start the GO. This makes
p2ps_connect_adv_go_persistent take significantly less time.
Signed-off-by: Jouni Malinen <j@w1.fi>
The combination of starting P2P extended listen and issuing
P2P_ASP_PROVISION_RESP almost immediately after that while in P2P_LISTEN
state resulted in caes where the advertiser could end up going back to a
long listen state while trying to retransmit PD Request. This resulted
in p2ps_provision() timing out while waiting for P2PS-PROV-DONE
especially in p2ps_feature_capability_* test cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Don't add unnecessary P2PS follow-on PD Request attributes when
the request status is not P2P_SC_SUCCESS_DEFERRED.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
When one peer doesn't include a persistent group info in PD Request
the other peer shouldn't report a persistent group usage with this
peer even if such a persistent group exists locally. This condition
could be violated in the previous implementation.
In case a local persistent group exists and the
wpas_p2ps_prov_complete() function is called with persist_ssid parameter
set to NULL, wpa_supplicant reported P2PS-PROV-DONE with persist=<idx>
instead of conncap=<role> parameter.
This happened because the wpas_p2p_get_persistent() function was called
without verification whether the persist_ssid was set to NULL. In this
case the wpas_p2p_get_persistent() returns the first existing persistent
group matching the P2P Device Address without verifying the group's
SSID. After that the group ID is used as persist=<idx> parameter of
P2PS-PROV-DONE event.
Fix the issue by adding persist_ssid and persist_ssid_size verification
as a condition for the wpas_p2p_get_persistent() call.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
In P2PS PD Request processing in some error case scenarios, such as
verification of the WPS config method, the flow aborts before saving
mandatory P2PS PD Request attributes. This in turn causes the control
interface notification events to be sent with invalid parameters.
Fix this by changing the order of verification and processing steps of
the PD Request message handling.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
On successful P2P PD, report the chosen frequency in case the local
device is going to be the P2P GO, so in can later be used to instantiate
the new P2P GO, etc.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
In case the P2PS PD Response includes the P2P Channel List attribute,
update the peer device supported channels and verify that the local
device has common channels with the peer (only a sanity check).
If the Operating Channel attribute is included in the response, check
that it is included in the intersection and store it as the peer's
operating frequency (so it could later be used in the join flow, etc.).
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
In case the P2PS PD Request includes the P2P Channel List attribute,
update the peer device supported channels and check if we have common
channels with the peer that can be used for the connection establishment
based on the connection capabilities:
1. In case of P2PS PD Request with no common channels, defer
the flow unless auto accept equals true and the connection
capabilities equals NEW (in which case the channels would be
negotiated in the GO Negotiation).
2. In case of Follow up P2PS PD Request with no common channels,
reject the request unless the connection capability is NEW.
In addition, in case of a successful P2PS PD, save the device
operating frequency (so it can be later used for join flow, etc.).
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add operating channel selection and channel list processing similar to
that done when building GO Negotiation Request, i.e., consider the
currently used channels, configured channels, etc.
P2PS introduces a flow where a responder needs to provide channel data
without being previously aware of the current constraints, i.e., the
channels currently in use by other interfaces. To handle this, extend
the get_group_capability() callback to also handle channel selection
aspects of group capabilities.
In case there is an active P2P GO that is going to be used for the P2PS
PD, force its current operating frequency in the PD attributes.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
If a Provision Discovery Request is received for an unknown peer, a new
device entry is being added, but the flow continues without updating the
local p2p_device pointer, requiring to check the pointer value before
every access.
1. Change this, so once a device is added, the flow updates the local
p2p_device pointer and avoids the checks later in the flow.
2. If the device is not known even after adding it, skip the processing,
send the PD Response, and return.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
It is possible that p2p_build_prov_disc_resp() is called with a NULL
device entry, which might be dereferenced when calling
p2p->cfg->get_persistent_group() for the P2PS with persistent group
case. Fix this by checking the device pointer before accessing it.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Write a text version of the content type and handshake type in debug log
to make it easier to follow TLS exchange.
Signed-off-by: Jouni Malinen <j@w1.fi>
The utf8_string_len comparison was off by one and ended up accepting a
truncated three-byte encoded UTF-8 character at the end of the string if
the octet was missing. Since the password string gets null terminated in
the configuration, this did not result in reading beyond the buffer, but
anyway, it is better to explicitly reject the string rather than try to
use an incorrectly encoded UTF-8 string as the password.
Signed-off-by: Jouni Malinen <j@w1.fi>
Verify OCSP stapling response that is signed by the CA rather than a
separate OCSP responder. In addition, verify that invalid signer
certificate (missing OCSP delegation) gets rejected.
Signed-off-by: Jouni Malinen <j@w1.fi>
BoringSSL has dropped OpenSSL functionality that was used in the EST
implementation. For now, disable EST with BoringSSL to allow
hs20-osu-client to be built.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
BoringSSL has removed the OpenSSL OCSP implementation (OCSP_*()
functions) and instead, provides only a minimal mechanism for include
the status request extension and fetching the response from the server.
As such, the previous OpenSSL-based implementation for OCSP stapling is
not usable with BoringSSL.
Add a new implementation that uses BoringSSL to request and fetch the
OCSP stapling response and then parse and validate this with the new
implementation within wpa_supplicant. While this may not have identical
behavior with the OpenSSL-based implementation, this should be a good
starting point for being able to use OCSP stapling with BoringSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was already possible to use longer values through the control
interface SET command, but the configuration file parser was still
limited to 512 byte lines. Increase this to 4096 bytes since some of the
configuration parameters (e.g., anqp_elem) can be longer.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Validate that all the required attributes appear in a P2PS PD Request,
and in addition, in the case of follow-on PD Request, check that the
given values match those of the original PD Request.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Change the connection capability handling so that in case there are no
active roles, the peer has an active GO, and the advertisement supports
operation as a client, the returned connection capability is set to
client.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The code was iterating all the interfaces, and for each interface
iterated all the network blocks to count active P2P GO and P2P Client
interfaces.
Change the code to reuse wpas_p2p_get_go_group() to get a P2P GO
interface and add wpas_p2p_get_cli_group() and use it to find a
P2P Client interface, and use these objects when evaluating the
group capability.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Re-factor wpas_p2p_get_go_group() to:
1. Skip the dedicated P2P Device management interface if it is used.
2. Instead of iterating all the interface configured networks,
only access the current_ssid pointer to check if the current
interface is acting as a persistent P2P GO.
To avoid code duplication, also re-factor wpas_p2p_group_go_ssid()
to call wpas_p2p_get_go_group().
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add a test case verifying deferred P2PS provision discovery when an
advertiser sends the status 11 (Fail: reject by user) in the follow-on
PD Request.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
When a follow-on PD request is received, peer should not send a
follow-on PD response except the case when the PD request status value
is 12 (Success: accepted by user). Previously, the wpa_supplicant
implementation behaved differently sending the follow-on PD Response on
any follow-on PD Request.
Fix the issue by adding the following changes:
1. Don't send PD Response if the follow-on PD Request status is
different than 12 (seeker side).
2. Don't wait for the follow-on PD Response if the follow-on PD
Request was sent with the status different than 12 (advertiser
side).
3. If the follow-on PD Request was sent with the status different
than 12 use the follow-on PD Request ACK as PD completion event
(advertiser side).
4. Notify ASP about the PD completion by sending P2PS-PROV-DONE with
the PD Request status (advertiser side).
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Not doing so may result in a deferred PD flow failure (currently the
hwsim tests succeeded because seeker never stopped find, spending enough
time listening, so the follow-on PD would succeed).
Fix this by calling p2p_ext_listen when the seeker receives a deferred
PD failure event. Cancel extended listening when PD is done and also
stop find when seek is done.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
It is expected that p2p_flush() should stop any ongoing p2p operation.
However, this was not the case with extended listen which was not
cancelled on p2p_flush() flows. Fix this, by cancelling the extended
listen in p2p_flush().
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The new hostapd configuration parameter anqp_elem can now be used to
configure arbitrary ANQP-elements for the GAS/ANQP server. In addition
to supporting new elements, this can be used to override previously
supported elements if some special values are needed (mainly for testing
purposes).
The parameter uses following format:
anqp_elem=<InfoID>:<hexdump of payload>
For example, AP Geospatial Location ANQP-element with unknown location:
anqp_elem=265:0000
and AP Civic Location ANQP-element with unknown location:
anqp_elem=266:000000
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This allows wpa_supplicant to expose internally unknown ANQP-elements in
the BSS command. For example, "ANQP_GET <BSSID> 265" can be used to
fetch the AP Geospatial Location ANQP-element and if the AP has this
information, the "BSS <BSSID>" command will include the response as
"anqp[265]=<hexdump>".
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The switch to BoringSSL broke keystore-backed keys because
wpa_supplicant was using the dynamic ENGINE loading to load
the keystore module.
The ENGINE-like functionality in BoringSSL is much simpler
and this change should enable it.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Some devices cannot respond to inactive client probe (empty data frame)
within one second. For example, iPhone may take up to 3 secs. This
becomes a significant problem when ap_max_inactivity is set to lower
value such as 10 secs. iPhone can lose Wi-Fi connection after ~1 min
of user inactivity.
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
On RADIUS auth/acct failures hostapd will try a new server if one is
available. Reuse the failover logic to force a socket renewal if only
one RADIUS server is configured.
This fixes problems when a route for the RADIUS server gets added after
the socket was "connected". The RADIUS socket is still sending the
RADIUS requests out using the previous route.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
IEEE Std 802.11-2012 13.3.1 states that the AID should be generated on
the local node for each peer. Previously, we were using the peer link ID
(generated by the peer) which may not be unique among all peers. Correct
this by reusing the AP AID generation code.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Commit d66dcb0d0b ('WEP: Remove VLAN
support from hostapd') already removed VLAN support for WEP encryption,
so vlan_setup_encryption_dyn() is no longer needed.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Check that there are no unencrypted frames when using hostapd with VLANs
and WPA before the first station connects to the VLAN.
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>