path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* hostapd: Fix early init failure pathJouni Malinen2016-06-121-0/+1
| | | | | | | eloop deinit calls could trigger segmentation fault if the early error path is hit before eloop_init() gets called. Signed-off-by: Jouni Malinen <j@w1.fi>
* FST: Make fst_global_deinit() more robustJouni Malinen2016-06-121-0/+6
| | | | | | | | Verify that fst_global_init() has been called before deinitializing the global FST context. This makes it a bit easier to handle failure paths from initialization. Signed-off-by: Jouni Malinen <j@w1.fi>
* mesh: Sync max peer links with kernelMasashi Honma2016-06-121-2/+1
| | | | | | | | | Set max peer links to kernel even when wpa_supplicant MPM is used. This sets the correct value for the "Accepting Additional Mesh Peerings bit" in "Mesh Capability field" in "Mesh Configuration element" in the Beacon frame. Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
* OpenSSL: Initialise PKCS#11 engine even if found with ENGINE_by_id()David Woodhouse2016-06-111-3/+9
| | | | | | | | | | | | | | Recent versions of engine_pkcs11 are set up to be autoloaded on demand with ENGINE_by_id() because they don't need explicit configuration. But if we *do* want to explicitly configure them with a PKCS#11 module path, we should still do so. We can't tell whether it was already initialised, but it's harmless to repeat the MODULE_PATH command if it was. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Tested-by: Michael Schaller <misch@google.com>
* nl80211: Fix use-after-free in qca_nl80211_get_features()Paul Stewart2016-06-111-2/+7
| | | | | | | | Any data accessible from nla_data() is freed before the send_and_recv_msgs() function returns, therefore we need to allocate space for info.flags ourselves. Signed-off-by: Paul Stewart <pstew@google.com>
* hostapd Make GAS Address3 field selection behavior configurableJouni Malinen2016-06-102-1/+7
| | | | | | | | | gas_address3=1 can now be used to force hostapd to use the IEEE 802.11 standards compliant Address 3 field value (Wildcard BSSID when not associated) even if the GAS request uses non-compliant address (AP BSSID). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Fix Public Action frame TX status processing for wildcard BSSIDJouni Malinen2016-06-101-1/+14
| | | | | | | | | | Previously all TX status events with wildcard BSSID were ignored. This did not allow Public Action frame TX status to be processed with the corrected wildcard BSSID use. Fix this to be allowed. In practice, this affects only test cases since Action frame TX status was not used for anything else. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hostapd: Fix Public Action frame addressing (BSSID field)Jouni Malinen2016-06-103-13/+73
| | | | | | | | | | | | | | | | | | | | | | IEEE Std 802.11-2012, 10.19 (Public Action frame addressing) specifies that the wildcard BSSID value is used in Public Action frames that are transmitted to a STA that is not a member of the same BSS. hostapd used to use the actual BSSID value for all such frames regardless of whether the destination STA is a member of the BSS. Fix this by using the wildcard BSSID in cases the destination STA is not a member of the BSS. Leave group addressed case as-is (i.e., the actual BSSID), since both values are accepted. No such frames are currently used, though. This version is still using the AP BSSID value in the Address 3 field for GAS response frames when replying to a GAS request with AP BSSID instead of Wildcard BSSID. This is left as a workaround to avoid interoperability issues with deployed STA implementations that are still using the non-compliant address and that might be unable to process the standard compliant case. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* nl80211: Add TEST_FAIL() to command generation and set_modeJouni Malinen2016-06-041-0/+5
| | | | | | | This makes it easier to test error paths for failing driver command cases. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Update drv->assoc_freq on mesh joinJouni Malinen2016-06-041-1/+1
| | | | | | This is needed to provide the correct frequency in SIGNAL_POLL command. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Use extended capabilities per interface typeKanchanapally, Vidyullatha2016-05-316-1/+155
| | | | | | | | | | This adds the necessary changes to support extraction and use of the extended capabilities specified per interface type (a recent cfg80211/nl80211 extension). If that information is available, per-interface values will be used to override the global per-radio value. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Sync with mac80211-next.git include/uapi/linux/nl80211.hJouni Malinen2016-05-311-1/+32
| | | | | | This brings in nl80211 definitions as of 2016-05-31. Signed-off-by: Jouni Malinen <j@w1.fi>
* Report connection timeouts in CTRL-EVENT-ASSOC-REJECTJouni Malinen2016-05-302-0/+10
| | | | | | | | | Add a new "timeout" argument to the event message if the nl80211 message indicates that the connection failure is not due to an explicit AP rejection message. This makes it easier for external programs to figure out why the connection failed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* mesh: Support simple SAE group negotiation caseJouni Malinen2016-05-301-0/+51
| | | | | | | | | | This allows the simplest case of SAE group negotiation to occur by selecting the next available group if the peer STA indicates the previous one was not supported. This is not yet sufficient to cover all cases, e.g., when both STAs need to change their groups, but at least some cases are no covered. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* mesh: Fix error path handling in init OOM casesJouni Malinen2016-05-291-4/+13
| | | | | | | | | hostapd deinit functions were not ready to handle a case where the data structures were not fully initialized. Make these more robust to allow wpa_supplicant mesh implementation to use the current deinit design in OOM error cases without causing NULL pointer dereferences. Signed-off-by: Jouni Malinen <j@w1.fi>
* OpenSSL: Comment out tls_connection_get_eap_fast_key without EAP-FASTDavid Benjamin2016-05-231-8/+16
| | | | | | | | | This avoids internal access of structs and also removes the dependency on the reimplemented TLS PRF functions when EAP-FAST support is not enabled. Notably, BoringSSL doesn't support EAP-FAST, so there is no need to access its internals with openssl_get_keyblock_size(). Signed-Off-By: David Benjamin <davidben@google.com>
* TLS: Split tls_connection_prf() into two functionsDavid Benjamin2016-05-2311-85/+98
| | | | | | | | | | | | | | | | | | | | | | Most protocols extracting keys from TLS use RFC 5705 exporters which is commonly implemented in TLS libraries. This is the mechanism used by EAP-TLS. (EAP-TLS actually predates RFC 5705, but RFC 5705 was defined to be compatible with it.) EAP-FAST, however, uses a legacy mechanism. It reuses the TLS internal key block derivation and derives key material after the key block. This is uncommon and a misuse of TLS internals, so not all TLS libraries support this. Instead, we reimplement the PRF for the OpenSSL backend and don't support it at all in the GnuTLS one. Since these two are very different operations, split tls_connection_prf() in two. tls_connection_export_key() implements the standard RFC 5705 mechanism that we expect most TLS libraries to support. tls_connection_get_eap_fast_key() implements the EAP-FAST-specific legacy mechanism which may not be implemented on all backends but is only used by EAP-FAST. Signed-Off-By: David Benjamin <davidben@google.com>
* OpenSSL: Remove two more accesses of ssl_ctx->cert_storeDavid Benjamin2016-05-231-3/+4
| | | | | | | | Commit 68ae4773a40b601126fc1f7cf5284e159c84ab3d ('OpenSSL: Use library wrapper functions to access cert store') fixed most of these, but missed a few. Signed-Off-By: David Benjamin <davidben@google.com>
* nl80211: Add TEST_FAIL() to nl80211_set_mac_addr()Jouni Malinen2016-05-221-0/+3
| | | | | | This makes it easier to test some error paths in wpa_supplicant. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Register for only for specific Action frames in AP modeKanchanapally, Vidyullatha2016-05-201-5/+47
| | | | | | | | | | This makes changes such that hostapd (and wpa_supplicant AP mode) registers to kernel for specific Action frames instead of generically registering for all Action frames. This makes it easier for other programs to register for some Action frames that hostapd does not handle today without having to somehow coordinate directly with hostapd. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2PS: Correct config_methods for different P2P casesPurushottam Kushwaha2016-05-191-3/+3
| | | | | | | | | Add P2PS config flag only when config_methods are set. This restores the pre-P2PS behavioer for the cases where Display or Keypad config method is specified for a peer (i.e., do not add the new P2PS method in that case). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-SAKE: Do not debug print result if eap_sake_compute_mic() failsJouni Malinen2016-05-161-5/+14
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the eap_proto_sake_errors test case where the result was used after the failed eap_sake_compute_mic() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-PAX: Do not debug print result if eap_pax_mac() failsJouni Malinen2016-05-161-2/+9
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the eap_proto_pax_errors test case where the result was used after the failed eap_pax_mac() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-FAST: Check sha1_t_prf() result in eap_fast_get_cmk()Jouni Malinen2016-05-161-3/+4
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the eap_proto_fast_errors test case where the result was used after the failed sha1_t_prf() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Check sha256_vector() result in wps_build_oob_dev_pw()Jouni Malinen2016-05-161-1/+2
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the wpas_ctrl_error test case where the result was used after the failed sha256_vector() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Check md5_vector() result in decrypt_ms_key()Jouni Malinen2016-05-161-1/+4
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the hostapd_oom_wpa2_eap_connect test case where the result is used after failed md5_vector() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Check hmac_md5() result in radius_msg_verify_msg_auth()Jouni Malinen2016-05-161-2/+3
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the hostapd_oom_wpa2_eap_connect test case where memcmp is used after failed hmac_md5() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Check md5_vector() result in radius_msg_verify()Jouni Malinen2016-05-161-2/+2
| | | | | | | | This gets rid of a valgrind warning on uninitialized memory read in the hostapd_oom_wpa2_eap test case where memcmp is used after failed md5_vector() call. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Fix debug prints in wps_derive_psk() error caseJouni Malinen2016-05-164-11/+16
| | | | | | | | Check for hmac_sha256() failures and exit from wps_derive_psk() without printing out the derived keys if anything fails. This removes a valgrind warning on uninitialized value when running the ap_wps_m3_oom test case. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* wpa_cli: Add backspace key process for some terminalSiWon Kang2016-05-131-0/+6
| | | | | | | | | | In some terminal, verified with gtkterm and teraterm, backspace key is not properly processed. For instance, type 'abc', 3 times of backspace key press then '123' shows the result of 'abc123' instead of '123'. To fix this, add a routine to process '\b' character input when using edit_simple.c instead of edit.c (i.e., without CONFIG_WPA_CLI_EDIT=y). Signed-off-by: Siwon Kang <kkangshawn@gmail.com>
* drivers: Add NEED_RADIOTAPJohannes Berg2016-05-132-2/+10
| | | | | | | | If there's ever a driver that, like nl80211, requires radiotap, we need to have a NEED_RADIOTAP variable to avoid trying to link the radiotap helpers twice. Introduce that. Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
* OpenSSL: Make dh5_init() match the generic implementationJouni Malinen2016-05-131-0/+2
| | | | | | | | | | | Commit 4104267e81b0a0acdb43f693a67f236b3237a719 ('Fix memory leak on NFC DH generation error path') modified the generic (non-OpenSSL) implementation of dh5_init() to free the previously assigned public key, if any. However, that commit did not modify the OpenSSL specific version of this function. Add the same change there to maintain consistent behavior between these two implementations of the same function. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* WPS: Fix segmentation fault in new DH key derivationRujun Wang2016-05-131-1/+1
| | | | | | | | | | | | Commit 4104267e81b0a0acdb43f693a67f236b3237a719 ('Fix memory leak on NFC DH generation error path') modified dh5_init() behavior in the non-OpenSSL implementation to free the public key (if any was previously set). However, this did not update one of the callers to make sure the publ argument in the call is initialized. This could result in trying to free invalid pointer and segmentation fault when hostapd or wpa_supplicant was built against some other crypto library than OpenSSL. Signed-off-by: Rujun Wang <chinawrj@gmail.com>
* OpenSSL: BoringSSL has SSL_get_client_random(), etc.David Benjamin2016-05-101-2/+6
| | | | | | | | | | | | | | | | | | | | BoringSSL added OpenSSL 1.1.0's SSL_get_client_random() and friends in working towards opaquifying the SSL struct. But it, for the moment, still looks more like 1.0.2 than 1.1.0 and advertises OPENSSL_VERSION_NUMBER as such. This means that there is no need to define those in BoringSSL and defining them causes conflicts. (C does not like having static and non-static functions with the same name.) As requested, this is conditioned on defined(BORINGSSL_API_VERSION) so wpa_supplicant may continue to support older BoringSSLs for a time. (BoringSSL revisions without the accessors predate BoringSSL maintaining a BORINGSSL_API_VERSION.) Also add a missing opensslv.h include. tls_openssl.c is sensitive to OPENSSL_VERSION_NUMBER, so it should include the header directly rather than rely on another header to do so. Signed-off-by: David Benjamin <davidben@google.com>
* Remove newlines from wpa_supplicant config network outputPaul Stewart2016-05-022-0/+12
| | | | | | | | | | Spurious newlines output while writing the config file can corrupt the wpa_supplicant configuration. Avoid writing these for the network block parameters. This is a generic filter that cover cases that may not have been explicitly addressed with a more specific commit to avoid control characters in the psk parameter. Signed-off-by: Paul Stewart <pstew@google.com>
* WPS: Reject a Credential with invalid passphraseJouni Malinen2016-05-023-0/+23
| | | | | | | | | | | | | | | WPA/WPA2-Personal passphrase is not allowed to include control characters. Reject a Credential received from a WPS Registrar both as STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or WPA2PSK authentication type and includes an invalid passphrase. This fixes an issue where hostapd or wpa_supplicant could have updated the configuration file PSK/passphrase parameter with arbitrary data from an external device (Registrar) that may not be fully trusted. Should such data include a newline character, the resulting configuration file could become invalid and fail to be parsed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* nl80211: Try running without mgmt frame subscription (driver AP SME)Rafał Miłecki2016-04-281-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | One of supported code paths already allows this scenario. It is used if driver doesn't report NL80211_ATTR_DEVICE_AP_SME and doesn't support monitor interface. In such situation: 1) We don't quit if subscribing for WLAN_FC_STYPE_PROBE_REQ fails 2) We don't try subscribing for WLAN_FC_STYPE_ACTION 3) We fallback to AP SME mode after failing to create monitor interface 4) We don't quit if subscribing for WLAN_FC_STYPE_PROBE_REQ fails Above scenario is used, e.g., with brcmfmac. As you can see - thanks to events provided by cfg80211 - it's not really required to receive Probe Request or action frames. However, the previous implementation did not allow using hostapd with drivers that: 1) Report NL80211_ATTR_DEVICE_AP_SME 2) Don't support subscribing for PROBE_REQ and/or ACTION frames In case of using such a driver hostapd will cancel setup after failing to subscribe for WLAN_FC_STYPE_ACTION. I noticed it after setting flag WIPHY_FLAG_HAVE_AP_SME in brcmfmac driver for my experiments. This patch allows working with such drivers with just a small warning printed as debug message. Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
* WPS: Explicitly clear wpabuf memory with key informationJouni Malinen2016-04-285-48/+48
| | | | | | | | This reduces duration that private keying material might remain in the process memory by clearing wpabuf data used in WPS operations when there is possibility of the buffer including keys or related material. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Add assocresp_elements parameter for hostapdBala Krishna Bhamidipati2016-04-204-0/+11
| | | | | | | | This new parameter allows hostapd to add Vendor Specific elements into (Re)Association Response frames similarly to the way vendor_elements parameter can be used for Beacon and Probe Response frames. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Support OpenSSL 1.1.0 DH opacityJouni Malinen2016-04-191-0/+87
| | | | | | | | The OpenSSL 1.1.0 Beta 2 release made DH opaque and that broke compilation of crypto_openssl.c. Fix this by using the new accessor functions when building against OpenSSL 1.1.0 or newer. Signed-off-by: Jouni Malinen <j@w1.fi>
* FT: Fix RRB for FT over-the-air caseGünther Kelleter2016-04-181-1/+1
| | | | | | | | | | Commit 66d464067d626cc64c5a543a8f91fe58727f4e5e ('FT: Register RRB l2_packet only if FT-over-DS is enabled') disabled RRB l2_packet socket if ft_over_ds is disabled, but this socket is required for FT over-the-air, too (FT key distribution). Enable the socket regardless of ft_over_ds setting if FT is enabled. Signed-off-by: Günther Kelleter <guenther.kelleter@devolo.de>
* Assign QCA vendor command/attributes for set/get wifi configurationSunil Dutt2016-04-181-1/+59
| | | | | | | | This adds QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION and QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_CONFIGURATION and the attributes used with these commands. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Add P2P_GROUP_MEMBER command to fetch client interface addressPurushottam Kushwaha2016-04-182-0/+24
| | | | | | | | | | | | | | | This allows local GO to fetch the P2P Interface Address of a P2P Client in the group based on the P2P Device Address for the client. This command should be sent only on a group interface (the same peer may be in multiple concurrent groups). Usage: P2P_GROUP_MEMBER <P2P Device Address> Output: <P2P Interface Address> Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
* P2P: Trigger event when invitation is acceptedLior David2016-04-181-0/+1
| | | | | | | | | | Trigger an event when wpa_supplicant accepts an invitation to re-invoke a persistent group. Previously wpa_supplicant entered group formation without triggering any specific events and it could confuse clients, especially when operating with a driver that does not support concurrency between P2P and infrastructure connection. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
* nl80211: Get rid of unused assignment warningJouni Malinen2016-04-171-0/+2
| | | | | | | | | The os_snprintf() call here cannot really fail in practice, but since its result was stored into the local variable and not checked, static analyzers could warn about the unused assignment. Clean this up by checking the return value. Signed-off-by: Jouni Malinen <j@w1.fi>
* bsd: Set level correctly for non FreeBSD systemsRoy Marples2016-04-171-0/+5
| | | | | | | Only FreeBSD treats rssi as dBm, other BSD have no special meaning to rssi. Signed-off-by: Roy Marples <roy@marples.name>
* nl80211: Add support for global RRM flagBeni Lev2016-04-172-5/+13
| | | | | | | | Set the global RRM flag if global RRM is supported by the device. Also, allow RRM in (Re)Association Request frame if the global RRM flag is set. Signed-off-by: Beni Lev <beni.lev@intel.com>
* driver: Add global RRM support flagBeni Lev2016-04-171-0/+6
| | | | | | | This flag indicates that RRM can be used in (Re)Association Request frames, without supporting quiet period. Signed-off-by: Beni Lev <beni.lev@intel.com>
* nl80211: Register to receive Radio Measurement Request framesDavid Spinadel2016-04-171-0/+4
| | | | | | | Register to receive Radio Measurement Request frames since LCI request is supported by wpa_supplicant. Signed-off-by: David Spinadel <david.spinadel@intel.com>
* hostapd: Add FTM range requestDavid Spinadel2016-04-176-3/+178
| | | | | | | | | | | | | | | | | | | | Add FTM range request via RRM. The AP sends Radio measurement request with FTM range request as a request for the receiving STA to send FTM requests to the given list of APs. The neighbor report part of the request is taken from the neighbor database. The control interface command is: REQ_RANGE <dst addr> <rand_int> <min_ap> <responder> [<responder>..] dst addr: MAC address of an associated STA rand_int: Randomization Interval (0..65535) in TUs min_ap: Minimum AP Count (1..15); minimum number of requested FTM ranges between the associated STA and the listed APs responder: List of BSSIDs for neighboring APs for which a measurement is requested Signed-off-by: David Spinadel <david.spinadel@intel.com>