Increase EAPOL startWhen to 2 for the case where the AP/GO has
advertised it supports WPS 2.0. This is done to make it less likely for
the EAPOL-Start frame to be sent out since that is only required for WPS
1.0. Not sending it can remove one unnecessary round trip from the EAP
exchange when the AP is going to start with EAP-Request/Identity
immediately based on the Association Request frame.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 152cff6ba6 ('P2P: Remove
WPA_DRIVER_FLAGS_P2P_MGMT option') removed the only non-zero return from
wpas_p2p_stop_find_oper(), but did not remove the useless return value
or the return check in wpas_p2p_stop_find(). Clean these up by removing
unreachable code and useless return value.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
This is needed for number of items and it was possible to make a build
configuration that did not include ieee802_11_common.c while still
trying to use functions from there. While it would be possible to add
NEED_80211_COMMON=y to all the cases where this file is needed, the
extra complexity from this is not really justifiable anymore, so include
the file unconditionally.
Signed-off-by: Jouni Malinen <j@w1.fi>
The MACsec addition placed one of the calls outside the #ifdef
IEEE802X_EAPOL block while the variable needed for this was defined only
within the block.
Signed-off-by: Jouni Malinen <j@w1.fi>
This information can be used to determine whether the event is generated
for a new peer that was added or due to an update in the information for
an existing peer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new openssl_cipher configuration parameter can be used to select
which TLS cipher suites are enabled for TLS-based EAP methods when
OpenSSL is used as the TLS library. This parameter can be used both as a
global parameter to set the default for all network blocks and as a
network block parameter to override the default for each network
profile.
Signed-off-by: Jouni Malinen <j@w1.fi>
Mark the variable as unsigned and make the length check use "len > end -
pos" version to makes this easier to understand for static analyzers
(CID 74155).
Signed-off-by: Jouni Malinen <j@w1.fi>
len + pos > end comparison here did verify that the length field had a
valid value, but that did not seem to enough to avoid TAINTED_SCALAR
warning. Re-order that validation step to be equivalent "len > end -
pos" to remove these false positives (CID 68116).
Signed-off-by: Jouni Malinen <j@w1.fi>
The driver_test.c driver wrapper (-Dtest in wpa_supplicant and
driver=test in hostapd) was previously used for testing without real
Wi-Fi hardware. mac80211_hwsim-based tests have practically replaced all
these needs and there has been no improvements or use for driver_test.c
in a long while. Because of this, there has not really been any effort
to maintain this older test tool and no justification to change this
either. Remove the obsoleted test mechanism to clean up the repository.
Signed-off-by: Jouni Malinen <j@w1.fi>
Previously, wpas_set_wowlan_triggers() could have been called in
uninitialized wpa_driver_capa data if the driver interface did not
support reporting of capabilities. While this would not really happen
with a driver wrapper that implements set_wowlan() and as such, would
not cause any difference in practice, it is better to clean this up to
make the code path easier to understand for static analyzers.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new ext_eapol_frame_io parameter can be used to configure hostapd
and wpa_supplicant to use control interface for receiving and
transmitting EAPOL frames. This makes it easier to implement automated
test cases for protocol testing. This functionality is included only in
CONFIG_TESTING_OPTIONS=y builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
A P2P Client may be able to connect to the GO even if the WPS
provisioning step has not terminated cleanly (e.g., P2P Client does not
send WSC_Done). Such group formation attempt missed the event
notification about started group on the GO and also did not set the
internal state corresponding to the successful group formation.
This commit addresses the missing part by completing GO side group
formation on a successful first data connection if WPS does not complete
cleanly. Also, this commit reorders the STA authorization indications to
ensure that the group formation success notification is given prior to
the first STA connection to handle such scenarios.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, this variable did not necessarily get cleared between group
formations and could result in some of the workaround operations from
not being executed after the first group formation when using the same
interface for all P2P groups. Fix this by clearing the variable whenever
starting the GO to make sure it is used consistently for each group
formation.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It was possible for local deauthentication request to leave sme-connect
radio work running even when there was no ongoing effort to complete the
connection anymore. Clean this up by marking sme-connect radio work
item, if any, done when clearing connection state after such
disconnection during connection.
Signed-off-by: Jouni Malinen <j@w1.fi>
It was possible for group formation timeout to be the trigger for
detecting the second PSK/4-way handshake failure. If that happened, the
special reason=PSK_FAILURE was not used in the P2P-GROUP-REMOVED event
even though P2P-PERSISTENT-PSK-FAIL did get reported. Fix this special
case by replacing the reason code with PSK_FAILURE if the PSK failure
timeout gets registed as part of the disconnection processing in the
formation timeout handler.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use os_exec() to run the action script operations to avoid undesired
command line processing for control interface event strings. Previously,
it could have been possible for some of the event strings to include
unsanitized data which is not suitable for system() use. (CVE-2014-3686)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Commit 86bd36f0d5 ("Add generic
mechanism for adding vendor elements into frames") has a minor bug
where it miscalculates the length of memory to move using
os_memmove. If multiple vendor elements are specified then this can
lead to out of bounds memory accesses.
This patch fixes this by calculating the correct length of remaining
data to shift down in the information element.
Signed-off-by: Toby Gray <toby.gray@realvnc.com>
Use hostapd_freq_params instead of simple frequency parameter for driver
commands. This is preparation for IBSS configuration to allow use of
HT/VHT in IBSS.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Previously, the case of non-netdev P2P management device ended up
pulling in both the main interface (e.g., wlan0) and P2P Device
interface (from command line -m argument) as configuration. Similarly,
the main interface ended up included both configuration files. This is
not really helpful for various use cases, e.g., when permanent P2P group
information is stored in the P2P Devince interface, but it gets
duplicated in the main station interface configuration.
Clean this up by changing the -m<file> argument to replace, not
concatenate, configuration information. In other words, the main station
interface will not read this configuration and the P2P Device interface
(non-netdev) does not read parameters from the station interface
configuration file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Relying on qos qosinfo is not enough, as it can be 0 for WMM enabled
peers that don't support U-APSD. Further, some peers don't even contain
this IE (Google Nexus 5), but do contain the WMM IE during setup.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Some drivers need to know the initiator of a TDLS connection in order
to generate a correct TDLS mgmt packet. It is used to determine
the link identifier IE. Pass this information to the driver.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
mac_addr=2 and preassoc_mac_addr=2 parameters can now be used to
configure random MAC address to be generated by maintaining the OUI part
of the permanent MAC address (but with locally administered bit set to
1). Other than that, these values result in similar behavior with
mac_addr=1 and preassoc_mac_addr=1, respectively.
Signed-off-by: Jouni Malinen <j@w1.fi>
Support 60 GHz band in P2P module by selecting random social channel
from all supported social channels in 2.4 GHz and 60 GHz bands.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This permits to set or unset the WiFi Display subelements from DBus, by
providing the full WFD specific IE frame.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
If "STA_AUTOCONNECT 0" has been used to disable automatic connection on
disconnection event and the driver indicates multiple disconnection
events for the disconnection from the current AP when WPS is started, it
could have been possible to hit a case where wpa_s->disconnected was set
to 1 during WPS processing and the following scan result processing
would stop the operation.
wpa_s->key_mgmt == WPA_KEY_MGMT_WPS check was trying to avoid to skip
autoconnect when WPS was in use, but that does not seem to work anymore.
Fix this by checking through wpas_wps_searching() as well to avoid
setting wpa_s->disconnect = 1 when there is an ongoing WPS operation.
Signed-off-by: Jouni Malinen <j@w1.fi>
This check is already being done on wpas_p2p_deinit_iface.
Of course, it is assumed wpa_s is not deinit when reaches
that point as a matter of fact.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
As P2P service are not necessarily attached to a iface, when
added, proceed with same approach on p2p global deinit. Such
approach solves memory leaks ocurring upon wpa_supplicant
termination, when p2p services were registered previously.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
This adds experimental support for wpa_supplicant to assign random local
MAC addresses for both pre-association cases (scan, GAS/ANQP) and for
connections. MAC address policy for each part can be controlled
separately and the connection part can be set per network block.
This requires support from the driver to allow local MAC address to be
changed if random address policy is enabled. It should also be noted
that number of drivers would not support concurrent operations (e.g.,
P2P and station association) with random addresses in use for one or
both.
This functionality can be controlled with the global configuration
parameters mac_addr and preassoc_mac_addr which set the default MAC
address policies for connections and pre-association operations (scan
and GAS/ANQP while not connected). The global rand_addr_lifetime
parameter can be used to set the lifetime of a random MAC address in
seconds (default: 60 seconds). This is used to avoid unnecessarily
frequent MAC address changes since those are likely to result in driver
clearing most of its state. It should be noted that the random MAC
address does not expire during an ESS connection, i.e., this lifetime is
only for the case where the device is disconnected.
The mac_addr parameter can also be set in the network blocks to define
different behavior per network. For example, the global mac_addr=1 and
preassoc_mac_addr=1 settings and mac_addr=0 in a home network profile
would result in behavior where all scanning is performed using a random
MAC address while connections to new networks (e.g.,
Interworking/Hotspot 2.0) would use random address and connections to
the home network would use the permanent MAC address.
Signed-off-by: Jouni Malinen <j@w1.fi>
This extends "wpa_cli -a<action script>" functionality to work with the
global wpa_supplicant control interface. The IFNAME=<ifname> prefix is
removed from the event messages and converted to the control interface
name when present. Previously, action scripts could only be used with
the per-interface control interfaces.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Number of other buffers were already increased to this size, but the
buffer used for receiving unsolicited event messages from wpa_supplicant
(e.g., for wpa_cli action scripts) was still at the older 256 byte size.
This could result in some events getting truncated. Avoid this by using
the same 4096 byte buffer size here as in the other places receiving
messages from wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The ifname_prefix string could change during line editing and the
periodic PING command running in the background ended up getting the
latest snapshot of the command line due to the pointer being left to
point to the edit buffer. This resulted in unexpected prefix strings
getting used with the periodic PING command. Fix this by temporarily
clearing the ifname_prefix whenever running such a periodic PING.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The commit 5cd4740580 has rearranged the
update scan results code and hence the IEs were not getting updated
properly for ap_scan=1 case. This can result in a 4-way handshake
failure in the roaming case (IE mismatch in 3/4 EAPOL). Fix this by
updating the scan results even if ap_scan=1 is used and network does not
need to get reselected based on association information.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Signed-off-by: Jouni Malinen <j@w1.fi>
It also allows to use the STATUS command with default behavior,
say for debug, i.e., don't generate a "fake" CONNECTION and
SUPPLICANT_STATE_CHANGE events with the new STATUS-NO_EVENTS case.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
In theory, this call could fail, so check the return value before using
the received data. These specific cases would not really care much about
the failures, but this keeps the code more consistent and keeps static
analyzer warnings more useful. (CID 72678, CID 72679, CID 72680,
CID 72683, CID 72689, CID 72698, CID 72703)
Signed-off-by: Jouni Malinen <j@w1.fi>
The network block bssid parameter can be used to force a specific BSS to
be used for a connection. It is also possible to modify this parameter
during an association. Previously, that did not result in any
notification to the driver which was somewhat problematic with drivers
that take care of BSS selection. Add a new mechanism to allow
wpa_supplicant to provide a driver update if the bssid parameter change
for the current connection modifies roaming policy (roaming
allowed/disallowed within ESS).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
An interoperability issue with a deployed AP has been identified where
the connection fails due to that AP failing to operate correctly if
PMKID is included in the Association Request frame. To work around this,
allow EAPOL-Start packet to be transmitted on startWhen reaching 0 even
when trying to use PMKSA caching. In practice, this allows fallback to
full EAP authentication if the AP/Authenticator takes more than 1-2
seconds to initiate 4-way handshake for PMKSA caching or full EAP
authentication if there was no PMKSA cache match.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the shorter startWhen value was used based on build
parameters (i.e., if WPS was enabled). This is not really ideal and the
knowledge of WPS use can be provided to the EAPOL state machine to allow
this (and similar WPS workarounds) to be done only when the association
is for the purpose of WPS.
Reduce the default startWhen value from 3 to 2 seconds for non-WPS case
since WPS builds have likely received most testing for the past years
with the 1 second value and there is no strong justification for forcing
the longer 3 second wait should a frame be lost or something else
require the EAPOL-Start to initiate operation after a connection.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Currently to signal PropertiesChanged upon group client
removal (group property), wpa_supplicant dbus uses wpa_s
members like go_dev_addr and current_ssid, for instance.
Thus, deferring p2p client deauth to after dbus notify,
but keeping the same order as before, solves the issue,
as wpa_s is not yet completely deinitialized.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
"Age" is the age in seconds since the BSS was last seen, and is
emitted as a PropertyChanged signal whenever the BSS is updated
from a scan result. It also returns the correct age when queried
directly.
This property can be used to resolve issues where, if no other
properties of the BSS changed from scan results (for example,
if the BSS always had 100% signal) no D-Bus signals would be
emitted to indicate that the BSS had just been seen in the scan.
Signed-hostap: Dan Williams <dcbw@redhat.com>
While building Association Request frame IEs we should consider adding
P2P IEs only on interface where P2P functionality is enabled. Consider
per interface p2p_disabled parameter before adding P2P IEs to complete
the checks for this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Some deployed APs send two credentials when in mixed-WPA/WPA2
configuration; one for the WPA-Personal/TKIP and the other for
WPA2-Personal/CCMP. Previously, this would result in two network blocks
getting added for the single AP. This can be somewhat confusing and
unnecessary, so merge such credentials into a single one that allows
both WPA and WPA2 to be used.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the P2P Interface Address of the peer gets updated in the
peer table every time based on the scan results.
For example, in a two port concurrency scenario, where the peer device
has two interfaces with unique P2P Interface Addresses and with same P2P
Device Address, based on the Probe Response/Beacon frames from these two
interfaces, their peer table gets updated, but each of these updates
happens in the peer table only based on the P2P Device Address. So, the
same peer's P2P Interface address is updated every time and hence, at
any instant, only one P2P Device Address to P2P Interface Address
mapping entry exist in the peer table for the peer which has two
interfaces.
When we try to join a group operated by the peer, lookup happens in the
peer table and when an interface entry is not available, the pending
interface address gets overwritten with the P2P Device Address and hence
the P2P connection can fail. Since the BSS table is the one that is
up-to-date, this fix will ensure that the interface overwriting will
happen only when there is no BSS entry for the pending P2P Interface
Address as well.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Global freq_list scan filtar was taken into account only by
req_scan and not by req_sched_scan. We want to allow the user
to limit the channels that wpa_supplicant will scan in req_sched_scan
requests as well.
Signed-off-by: Bojan Prtvar <bojan.prtvar@rt-rk.com>
Before fixing this issue, calling wpas_dbus_getter_p2p_device_config
was causing early termination of dbus connection, due to writing
values to an already closed dict.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
In order to find a GO interface, there has to be a
comparison among two SSIDs, instead of a wpa_ssid and
a ssid.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
First for better concistancy but also to tell about the group_object
that is getting removed, thus the client will know about it and will be
able to act accordingly.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
When p2p_cancel is invoked while the GO Negotiation Action TX was
pending, the p2p_send_action_work was not getting cleared.
Signed-off-by: Jithu Jance <jithu@broadcom.com>
The parameter wowlan_triggers is a global string and is not recognised
if it is embraced with double-quotes.
Signed-off-by: Philippe Nunes <philippe.nunes@linux.intel.com>
The PAME-BI bit in the Advertisement Protocol element is reserved for
non-AP STA, so this function will never set that bit to one and as such,
there is not much point in maintaining the placeholder dead code for
this either. (CID 68107)
Signed-off-by: Jouni Malinen <j@w1.fi>
The PSK/passphrase are needed for the control interface events since the
upper layer UI component is required by the specification to be able to
make this available for manual configuration. However, this is not
needed in the INFO verbosity level debug entry, so split the event
generation into two parts.
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes it easier to change the event message message for indication
when P2P group has stated and removes some duplicated code.
Signed-off-by: Jouni Malinen <j@w1.fi>
This allows external programs to use vendor specific information from
P2P peers without wpa_supplicant having to be able to parse and
understand all such vendor specific elements.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds following new control interface commands to allow arbitrary
vendor elements to be added into number of frames:
VENDOR_ELEM_ADD <frame id> <hexdump of elem(s)>
VENDOR_ELEM_GET <frame id>
VENDOR_ELEM_REMOVE <frame id> <hexdump of elem(s)>
VENDOR_ELEM_REMOVE <frame id> *
The following frames are supported in this commit (additional frames can
be added in the future):
0 = Probe Request frame in P2P device discovery
1 = Probe Response frame from P2P Device role
2 = Probe Response frame from P2P GO
3 = Beacon frame from P2P GO
4 = PD Req
5 = PD Resp
6 = GO Neg Req
7 = GO Neg Resp
8 = GO Neg Conf
9 = Invitation Request
10 = Invitation Response
11 = P2P Association Request
12 = P2P Association Response
One or more vendor element can be added/removed with the commands. The
hexdump of the element(s) needs to contain the full element (id, len,
payload) and the buffer needs to pass IE parsing requirements to be
accepted.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, offloaded scanning (PNO) on Android was including SSIDs from
all enabled networks regardless of the scan_ssid parameter which
resulted in different behavior for the offloaded case when comparing to
wpa_supplicant initiated scans.
Use the sched_scan match filter to allow broadcast SSID to be used for
scan_ssid=1 networks also with PNO to avoid running active scans for
SSIDs that have not been explicitly marked as requiring an SSID-specific
scan. This reduces exposure of configured network names on the device
when running offloaded scans while the host device is in sleep.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
This would not really be needed since these functions check the pointer
above. However, this seems to be too difficult for some static analyzer,
so add the extra check to avoid false reports.
Signed-off-by: Jouni Malinen <j@w1.fi>
This can be used to configure a Hotspot 2.0 Release 2 network externally
for a case where wpa_supplicant-based Interworking network selection is
not used and the update_identifier cannot be copied directly from a
cred.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Incorrect field was used to determine the init=<value> in the regulatory
domain changed control interface event.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new "scan_id=<comma separated list of network ids>" parameter can
now be used to specify a list of network ids that have scan_ssid=1 to
indicate active scanning of the SSID. This adds the listed SSIDs to the
scan command to allow manual scan requests to perform active scans for
hidden SSIDs. For example, "SCAN scan_id=1,7,11" would run a scan with
the SSID fetched from the configured network blocks 1, 7, and 11
(assuming those are set with scan_ssid=1). The SSIDs will be included
even from network blocks that are currently disabled.
The maximum number of SSIDs added to the request is limited by the
driver support. If more than supported values are specified, the command
will fail (returns "FAIL").
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Use an explicit memset call to clear any wpa_supplicant configuration
parameter that contains private information like keys or identity. This
brings in an additional layer of protection by reducing the length of
time this type of private data is kept in memory.
Signed-off-by: Jouni Malinen <j@w1.fi>
build_root_nai() will not be extended to write something after the
domain, so there is no need to update the pos pointer after the final
os_snprintf() call in the function. Remove this to make a static
analyzer happier.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is not really necessary check, but it keeps a static analyzer
happier by avoiding dead increment. Doing it this way rather than
removing the increment is less likely to cause problems when new entries
are added here in the future (the "dead" increment would be very much
needed in those cases).
Signed-off-by: Jouni Malinen <j@w1.fi>
The pointer to the current position is enough to figure out whether the
proto string is the first one in the buffer. Removing the separate
tracking variable cleans up a static analyzer warning on dead
assignment.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds an explicit limit for the maximum Wi-Fi Display subelement
length for ASCII hexdump. This would not really be needed since the
buffer is already limited by maximum frame length. Anyway, since this
can make static analyzers happier and the subelement used with this
function is short, we may as well include an explicit check.
Signed-off-by: Jouni Malinen <j@w1.fi>
While the buffer is expected to be large enough for all the IEs, it is
better to check for this explicitly when adding the HS 2.0 Indication
element. (CID 68601)
Signed-off-by: Jouni Malinen <j@w1.fi>
The previously used design was a bit too complex for static analyzers
(e.g., CID 68131, CID 68133) to understand which resulted in false
warnings about uninitialized memory. Avoid this by explicitly
initializing the pointer array to NULL and also skipping any invalid
NULL entry in the helper function.
Signed-off-by: Jouni Malinen <j@w1.fi>
GroupMember is unusable in itself and all the necessary informations are
stored in Peer objects, thus replace the use of GroupMember by Peer.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
If only the Peer is part of one or more group, this property will tell
those via listing their object paths.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
This will be useful for a peer to know if it is part of a group either
as a client of our local GO or as the peer GO.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Commit e9852462d5 ('eapol_test: Add PC/SC
reader and PIN command line arguments') did not add break to the switch
statement for the new -R command line option.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Previously, eight character random passphrase was generated
automatically for P2P GO. The new p2p_passphrase_len parameter can be
used to increase this length to generate a stronger passphrase for cases
where practicality of manual configuration of legacy devices is not a
concern.
Signed-off-by: Jouni Malinen <j@w1.fi>
The new command line arguments -R<reader> and -P<PIN> can now be used to
specify which PC/SC reader (prefix match) and PIN are to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to trigger new SA Query procedure to check the state of
the connection immediately after having performed such a check. Limit
the impact of burst of unprotected Deauth/Disassoc frames by starting a
new SA Query procedure only once at least 10 seconds has passed from the
previous SA Query that was triggered by reception of an unprotected
disconnection. The first SA Query procedure for each association does
not follow this rule to avoid issues with test cases that expect to see
an SA Query every time.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
"TDLS_TEARDOWN *" can now be used to tear down the direct links to all
TDLS peers. This is useful for debugging purposes.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
If a link is unreachable, the specification mandates we should send a
teardown packet via the AP with a specific teardown reason. Force this
by first disabling the link and only then sending the teardown packet
for the LOW_ACK event.
Rename the TDLS LOW_ACK event handler to better reflect its purpose.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
This removes number of unnecessary #ifdef CONFIG_P2P blocks from generic
code by hiding the conditional build into p2p_supplicant.h with empty
inline functions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Performing a P2P Device flow such as p2p_listen or
p2p_find, can degrade the performance of an active interface
connection, if the listen frequency is different than the
frequency used by that interface.
To reduce the effect of P2P Device flows on other interfaces,
try changing the listen channel of the P2P Device to match the
operating channel of one of the other active interfaces. This change
will be possible only in case that the listen channel is not forced
externally, and will be delayed to a point where the P2P Device
state machine is idle.
The optimization can be configured in the configuration file and
is disabled by default.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
In case there is no preference for the GO operating channel,
try using one of 1, 6, 11 (randomly), and only if the random
selection is not suitable traverse all the channels 1..11.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Remove the seperation between getting the local interface frequency and
other interfaces frequencies since going over all the radio interfaces
includes the local interface.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
When the number of frequencies supported by the kernel is bigger than
one, and there is a need to pick a frequency for a new flow such as P2P
GO Negotiation or P2P Invitation, the flow should be able to pick the
best frequency among all the frequencies currently used by the device.
In order to prioritize between the currently used frequencies, add
the ability to collect additional data about each used frequency
(if the frequency is used by a station interface or P2P Client)
and when needed select the best frequency, where:
1. Infrastructure interfaces have highest priority
2. P2P Client interfaces have higher priority over AP/GO
interfaces.
The rational is that the frequency of an AP/GO can change while
that of a station interface cannot.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Remove the check for get_radio_name support from
get_shared_radio_freqs_data() since get_radio_name is no longer in use
in this function.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Most of these calls are checked to return success and there is no reason
why these wouldn't, so be more consistent. This addresses CID 62841,
CID 62840, CID 62839, CID 62838, CID 62837, CID 62836.
Signed-off-by: Jouni Malinen <j@w1.fi>
If this chmod() call fails, the global control interface is allowed to
be used since there was no change to its group. Anyway, it can be
helpful to note the error case in debug log instead of silently ignoring
it.
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit b125c48fce ('P2P: Add wfd_dev_info=
field for device found event') added Wi-Fi Display device info to the
P2P-DEVICE-FOUND events. However, it did not include proper bounds
checking in wifi_display_subelem_hex() and could accept subelements with
invalid length field values. This could result in buffer read overflow
of up to 64 kB and inclusion of heap memory in the local control
interface event and/or process crash due to invalid memory access. Fix
this by checking the validity of the length field before writing a
hexdump of the data.
Signed-off-by: Jouni Malinen <j@w1.fi>
The vendor_ext[i] = NULL setting did not make any sense since
num_vendor_ext should have been used to index the vendor_ext array. The
old code did not do any harm since i >= num_vendor_ext and none of the
already set entries could have been cleared. Anyway, better clean this
by making it skip the setting to NULL similarly to what was already done
in the P2P peer vendor ext getter.
Signed-off-by: Jouni Malinen <j@w1.fi>
The OSEN code path hardcodes number of struct wpa_ie_data items.
However, it did not clear the full structure and some uninitialized
fields could have been used (e.g., ie.mgmt_group_cipher for a debug
print and ie.capabilities for checking MFPC). Fix this by clearing the
ie data before filling in the hardcoded OSEN values.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Action code field is in a fixed location, so the IEEE80211_HDRLEN
can be used here to clean up bounds checking to avoid false reports from
static analyzer.
Signed-off-by: Jouni Malinen <j@w1.fi>
There were couple of missing breaks in switch-default (before/after).
While these did not have any noticeable issues due to falling over to
the next step that just exited from the switch statement, it is cleaner
and more robust to have each case use an explicit break.
Signed-off-by: Jouni Malinen <j@w1.fi>
The tmpentry variable was not initialized and
_wpa_dbus_dict_entry_get_byte_array() does not set tmpentry.type, so it
would have been possible for the error path to end up trying to free
unexpected type of an entry or not free the memory at all.
Signed-off-by: Jouni Malinen <j@w1.fi>
This avoids an incorrect ARRAY_VS_SINGLETON report for a case where a
pointer is taken to the specified field in a frame and not to a single
octet. Bounds checking was already handled separately.
Signed-off-by: Jouni Malinen <j@w1.fi>
Due to an incorrect operation (MOD vs. AND), the code that was supposed
to return an error if the hex string has odd length was not really
reporting any failures. Instead of reporting an error, the invalid
control interface command would have been truncated. This is not an
issue in practice, but better fix the implementation anyway.
Signed-off-by: Jouni Malinen <j@w1.fi>
If a dict would include duplicated items, the parsing code here would
have leaked memory by overwriting old os_strdup() result with the new
one. Fix this by explicitly freeing the previous entry. This addresses
CID 62852, CID 62851, CID 62850, CID 62849, CID 62847, CID 62846.
Signed-off-by: Jouni Malinen <j@w1.fi>
It would have been at least theoretically possible to hit the first
error in the loop and end up jumping to error handling which would call
os_free(value) without the value having been cleared after the os_free()
call at the end of the previous loop iteration.
Signed-off-by: Jouni Malinen <j@w1.fi>
The GAS query TX operation used a fixed wait time of 1000 ms for the
reply. However, it would be possible for the driver to not support this
long remain-on-channel maximum. Limit this wait time based on driver
support, if needed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This makes the p2p_find default delay value configurable as
p2p_search_delay parameter through the configuration file (and through
control interface "SET p2p_search_delay <value>" on the P2P management
interface.
This parameter controls the number milliseconds of extra delay that is
added between search iterations when there is a concurrent operation in
progress. This can be used, e.g., p2p_search_delay=100 to make p2p_find
friendlier to concurrent operations by avoiding it from taking 100% of
the radio resources. The default value is the previous default, i.e.,
500 ms. Smaller values can be used to find peers more quickly at the
cost of larger effect to concurrent operations while a larger value
leaves more time for the concurrent operations at the cost of making
device discovery take longer time.
The optional p2p_find delay argument can still be used to override the
search delay for each search operation.
Since the P2P_CONCURRENT_SEARCH_DELAY macro is not used anymore, the
driver specific build parameter for bcmdhd from Android.mk is also
removed. Similar configuration can now be achieved with
p2p_search_delay=0 in the p2p0 interface configuration file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
wpa_supplicant_event() is required to include the event data for AP mode
events. In theory, a non-AP mode event could be sent here from the
driver wrapper, so reject such event.
Signed-off-by: Jouni Malinen <j@w1.fi>
Prepare for new extended capabilities bits by checking that the local
buffer is large enough to contain all the bits the driver requests. The
existing buffers are large enough to include anything defined until now,
but it would be possible to add more definitions in the future, so
increase them a bit as well to make this more future proof.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of allowing the connection attempt to occur with an unsupported
inner method, check for that explicitly at the time the network block is
added and drop the network if the identified inner method is not
supported.
Signed-off-by: Jouni Malinen <j@w1.fi>
This cannot really be NULL in practice since cred->eap_method would
point to a valid EAP method. Anyway, to avoid false positive from
analyzers, check the pointer explicitly before printing it.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is mainly to keep static analyzers silent since it does not look
like this code path can be reached in practice due to the way
association events are handled and current_ssid is either set before
resched here or the association is rejected. Anyway, if this could be
reached, the wpa_supplicant_set_wpa_none_key() call would end up
dereferencing a NULL pointer, so add an explicit check to make sure that
does not happen.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the offchannel TX frame command was offloaded to the driver in
offchannel_send_action(), we must not send another copy of the frame if
a remain-on-channel event happens to be delivered between this TX
command and the matching TX status event. It was possible for the
duplicated frame to cause problems, e.g., with P2P invitation exchange
if the same Invitation Request frame got sent twice and only the first
one getting accepted by the peer.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The dynamically allocated struct wpa_external_work contains the name of
the radio work in the type field and this is used in a debug print
within radio_work_done(). Re-order radio_work_done() and os_free() calls
on couple of paths where the memory was freed before that final user of
the buffer.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant was giving below error when "CONFIG_MODULE_TESTS=y" and
"CONFIG_P2P=y" are in .config file:
"wpas_module_tests.c:84: undefined reference to `wps_module_tests'"
This error is coming because "CONFIG_WPS=y" is commented out in .config
file but CONFIG_WPS is getting enabled by CONFIG_P2P in Makefile.
Signed-off-by: Amit Khatri <amit.khatri@samsung.com>
For one specific case when running with Interworking enabled the
re-initialisation of the scan timer is missing. This makes auto connect
to a configured network fail.
The case is:
- Interworking credentials available, but do not match
- Auto interworking is enabled (auto_interworking=1)
- Interworking auto select is disabled (i.e., this is from
auto_interworking=1, not from INTERWORKING_SELECT auto)
- No configured (enabled and non blacklisted) networks are present
in scan results list with full match
- Interworking finds matching networks (it does not do full security
policy match)
This patch covers the case and re-initialises the scan timer to allow
search for a suitable network to continue.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sonymobile.com>
This makes the operations more consistent when going through multiple
persistent group re-invocation sequences in a row. Each invitation needs
to be accepted separately if persistent reconnect is not enabled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This adds [DMG] and [PBSS] flags for scan results and BSS table entries
using the IEEE Std 802.11ad-2012 updated definition of the Capability
field.
Signed-off-by: Boris Sorochkin <qca_bsoroc@qca.qualcomm.com>
This patch adds epoll option for the eloop implementation. This can be
selected with the CONFIG_ELOOP_EPOLL=y build option.
[merit]
See Table1.
Table1. comparison table
+--------+--------+-----------+------------+-------------+
| | add fd | remove fd | prepare fd | dispatch fd |
+--------+--------+-----------+------------+-------------+
| select | O(1) | O(1) | O(N) | O(N) |
+--------+--------+-----------+------------+-------------+
| poll | O(1) | O(1) | O(N) | O(N) |
+--------+--------+-----------+------------+-------------+
| epoll | O(1) | O(1) | 0 | O(M) |
+--------+--------+-----------+------------+-------------+
"add fd" is addition of fd by eloop_sock_table_add_sock().
"remove fd" is removal of fd by eloop_sock_table_remove_sock().
"prepare fd" is preparation of fds before wait in eloop_run().
"dispatch fd" is dispatchment of fds by eloop_sock_table_dispatch().
"N" is all watching fds.
"M" is fds which could be dispatched after waiting.
As shown in Table1, epoll option has better performance on "prepare fd" column.
Because select/poll option requires setting fds before every select()/poll().
But epoll_wait() doesn't need it.
And epoll option has also better performance on "dispatch fd" column.
Because select/poll option needs to check all registered fds to find out
dispatchable fds. But epoll option doesn't require checking all registered fds.
Because epoll_wait() returns dispatchable fd set.
So epoll option is effective for GO/AP functionality.
[demerit]
The epoll option requires additional heap memory. In case of P2P GO, it is
about 8K bytes.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
The group object is already registered on DBus at that point, thus wpa_s
structure holds its path already.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Fixes a minor mistake: the p2p_info structure should be used here
instead of the peer_handler_args one.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
These signals delivers an array of key/value pairs, thus declaring those
as it should.
Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
When there is a pending WPS negotiation for P2P and signal interrupt is
triggered, invalid read occurs in wpas_wps_terminate_pending() if
wpas_p2p_disconnect() removed the interface. Inverting deinit order
solves the issue.
Signed-off-by: Eduardo Abinader <eduardo.abinader@openbossa.org>
The radio works for the interface get removed if interface is disabled.
This could have left P2P module in invalid state if the interface got
disabled during a p2p_find or p2p_listen operation. Clear the state in
such a case to avoid blocking following operations due to P2P module
assuming it is still in progress of doing something.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This new command can be used to simulate driver events without having to
go through the driver wrapper or kernel code for this. This enables more
testing coverage with hwsim.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
It looks like there was a possible sequence for wpa_s->scan_req to be
MANUAL_SCAN_REQ at the moment a GO is to be started. This could result
in the "Request scan (that will be skipped) to start GO" to actually not
skip the scan and end up stuck waiting for something external to trigger
a scan before the GO could be started. Fix this by clearing
wpa_s->scan_req when deciding to start the GO.
This issue could be hit at least by first enabling autoscan and then
issuing P2P_GROUP_ADD. Other sequences that set wpa_s->scan_req to
MANUAL_SCAN_REQ without going through wpa_supplicant_scan() to clear it
immediately could also have similar effect (and there is even a small
window for the wpa_supplicant_scan() call to happen only after the
P2P_GROUP_ADD command is processed, so this could potentially have
happened even with SCAN + P2P_GROUP_ADD).
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 41d5ce9e0b was intended to scan for
GO on the negotiated channel for few iterations, but it did not work
correctly due to incorrect operator being used. Fix this by requiring
both conditions to be met for the single channel scan.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
On receiving CHANNEL_LIST_CHANGED event from driver, verify that local
GO (if any) is operating in valid frequency. If not, we should remove
the group and reform on valid frequency. Indicate this similarly to the
avoid-frequency notification (i.e., a control interface message for
upper layers to react to this for now; potentially CSA later).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>