include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd
-PKG_VERSION:=2015-03-25
+PKG_VERSION:=2016-01-15
PKG_RELEASE:=1
-PKG_REV:=8278138e679174b1ec8af7f169c2810a8888e202
+PKG_REV:=e15dcf6d1bc2725388555523effca75b1ffab735
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
PKG_SOURCE_URL:=git://w1.fi/srv/git/hostap.git
+++ /dev/null
-From 9ed4eee345f85e3025c33c6e20aa25696e341ccd Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Tue, 7 Apr 2015 11:32:11 +0300
-Subject: [PATCH] P2P: Validate SSID element length before copying it
- (CVE-2015-1863)
-
-This fixes a possible memcpy overflow for P2P dev->oper_ssid in
-p2p_add_device(). The length provided by the peer device (0..255 bytes)
-was used without proper bounds checking and that could have resulted in
-arbitrary data of up to 223 bytes being written beyond the end of the
-dev->oper_ssid[] array (of which about 150 bytes would be beyond the
-heap allocation) when processing a corrupted management frame for P2P
-peer discovery purposes.
-
-This could result in corrupted state in heap, unexpected program
-behavior due to corrupted P2P peer device information, denial of service
-due to process crash, exposure of memory contents during GO Negotiation,
-and potentially arbitrary code execution.
-
-Thanks to Google security team for reporting this issue and smart
-hardware research group of Alibaba security team for discovering it.
-
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
----
- src/p2p/p2p.c | 1 +
- 1 file changed, 1 insertion(+)
-
---- a/src/p2p/p2p.c
-+++ b/src/p2p/p2p.c
-@@ -778,6 +778,7 @@ int p2p_add_device(struct p2p_data *p2p,
- if (os_memcmp(addr, p2p_dev_addr, ETH_ALEN) != 0)
- os_memcpy(dev->interface_addr, addr, ETH_ALEN);
- if (msg.ssid &&
-+ msg.ssid[1] <= sizeof(dev->oper_ssid) &&
- (msg.ssid[1] != P2P_WILDCARD_SSID_LEN ||
- os_memcmp(msg.ssid + 2, P2P_WILDCARD_SSID, P2P_WILDCARD_SSID_LEN)
- != 0)) {
+++ /dev/null
-From ef566a4d4f74022e1fdb0a2addfe81e6de9f4aae Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Wed, 29 Apr 2015 02:21:53 +0300
-Subject: [PATCH] AP WMM: Fix integer underflow in WMM Action frame parser
-
-The length of the WMM Action frame was not properly validated and the
-length of the information elements (int left) could end up being
-negative. This would result in reading significantly past the stack
-buffer while parsing the IEs in ieee802_11_parse_elems() and while doing
-so, resulting in segmentation fault.
-
-This can result in an invalid frame being used for a denial of service
-attack (hostapd process killed) against an AP with a driver that uses
-hostapd for management frame processing (e.g., all mac80211-based
-drivers).
-
-Thanks to Kostya Kortchinsky of Google security team for discovering and
-reporting this issue.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/ap/wmm.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/src/ap/wmm.c
-+++ b/src/ap/wmm.c
-@@ -274,6 +274,9 @@ void hostapd_wmm_action(struct hostapd_d
- return;
- }
-
-+ if (left < 0)
-+ return; /* not a valid WMM Action frame */
-+
- /* extract the tspec info element */
- if (ieee802_11_parse_elems(pos, left, &elems, 1) == ParseFailed) {
- hostapd_logger(hapd, mgmt->sa, HOSTAPD_MODULE_IEEE80211,
+++ /dev/null
-From 5acd23f4581da58683f3cf5e36cb71bbe4070bd7 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Tue, 28 Apr 2015 17:08:33 +0300
-Subject: [PATCH] WPS: Fix HTTP chunked transfer encoding parser
-
-strtoul() return value may end up overflowing the int h->chunk_size and
-resulting in a negative value to be stored as the chunk_size. This could
-result in the following memcpy operation using a very large length
-argument which would result in a buffer overflow and segmentation fault.
-
-This could have been used to cause a denial service by any device that
-has been authorized for network access (either wireless or wired). This
-would affect both the WPS UPnP functionality in a WPS AP (hostapd with
-upnp_iface parameter set in the configuration) and WPS ER
-(wpa_supplicant with WPS_ER_START control interface command used).
-
-Validate the parsed chunk length value to avoid this. In addition to
-rejecting negative values, we can also reject chunk size that would be
-larger than the maximum configured body length.
-
-Thanks to Kostya Kortchinsky of Google security team for discovering and
-reporting this issue.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/wps/httpread.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/src/wps/httpread.c b/src/wps/httpread.c
-index 2f08f37..d2855e3 100644
---- a/src/wps/httpread.c
-+++ b/src/wps/httpread.c
-@@ -533,6 +533,13 @@ static void httpread_read_handler(int sd, void *eloop_ctx, void *sock_ctx)
- if (!isxdigit(*cbp))
- goto bad;
- h->chunk_size = strtoul(cbp, NULL, 16);
-+ if (h->chunk_size < 0 ||
-+ h->chunk_size > h->max_bytes) {
-+ wpa_printf(MSG_DEBUG,
-+ "httpread: Invalid chunk size %d",
-+ h->chunk_size);
-+ goto bad;
-+ }
- /* throw away chunk header
- * so we have only real data
- */
---
-1.9.1
-
+++ /dev/null
-From dd2f043c9c43d156494e33d7ce22db96e6ef42c7 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 1 May 2015 16:37:45 +0300
-Subject: [PATCH 1/5] EAP-pwd peer: Fix payload length validation for Commit
- and Confirm
-
-The length of the received Commit and Confirm message payloads was not
-checked before reading them. This could result in a buffer read
-overflow when processing an invalid message.
-
-Fix this by verifying that the payload is of expected length before
-processing it. In addition, enforce correct state transition sequence to
-make sure there is no unexpected behavior if receiving a Commit/Confirm
-message before the previous exchanges have been completed.
-
-Thanks to Kostya Kortchinsky of Google security team for discovering and
-reporting this issue.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 29 +++++++++++++++++++++++++++++
- 1 file changed, 29 insertions(+)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index f2b0926..a629437 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -355,6 +355,23 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
- BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL;
- u16 offset;
- u8 *ptr, *scalar = NULL, *element = NULL;
-+ size_t prime_len, order_len;
-+
-+ if (data->state != PWD_Commit_Req) {
-+ ret->ignore = TRUE;
-+ goto fin;
-+ }
-+
-+ prime_len = BN_num_bytes(data->grp->prime);
-+ order_len = BN_num_bytes(data->grp->order);
-+
-+ if (payload_len != 2 * prime_len + order_len) {
-+ wpa_printf(MSG_INFO,
-+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
-+ (unsigned int) payload_len,
-+ (unsigned int) (2 * prime_len + order_len));
-+ goto fin;
-+ }
-
- if (((data->private_value = BN_new()) == NULL) ||
- ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) ||
-@@ -554,6 +571,18 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
- u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
- int offset;
-
-+ if (data->state != PWD_Confirm_Req) {
-+ ret->ignore = TRUE;
-+ goto fin;
-+ }
-+
-+ if (payload_len != SHA256_MAC_LEN) {
-+ wpa_printf(MSG_INFO,
-+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
-+ (unsigned int) payload_len, SHA256_MAC_LEN);
-+ goto fin;
-+ }
-+
- /*
- * first build up the ciphersuite which is group | random_function |
- * prf
---
-1.9.1
-
+++ /dev/null
-From e28a58be26184c2a23f80b410e0997ef1bd5d578 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Fri, 1 May 2015 16:40:44 +0300
-Subject: [PATCH 2/5] EAP-pwd server: Fix payload length validation for Commit
- and Confirm
-
-The length of the received Commit and Confirm message payloads was not
-checked before reading them. This could result in a buffer read
-overflow when processing an invalid message.
-
-Fix this by verifying that the payload is of expected length before
-processing it. In addition, enforce correct state transition sequence to
-make sure there is no unexpected behavior if receiving a Commit/Confirm
-message before the previous exchanges have been completed.
-
-Thanks to Kostya Kortchinsky of Google security team for discovering and
-reporting this issue.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_server/eap_server_pwd.c | 19 +++++++++++++++++++
- 1 file changed, 19 insertions(+)
-
-diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
-index 66bd5d2..3189105 100644
---- a/src/eap_server/eap_server_pwd.c
-+++ b/src/eap_server/eap_server_pwd.c
-@@ -656,9 +656,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data,
- BIGNUM *x = NULL, *y = NULL, *cofactor = NULL;
- EC_POINT *K = NULL, *point = NULL;
- int res = 0;
-+ size_t prime_len, order_len;
-
- wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response");
-
-+ prime_len = BN_num_bytes(data->grp->prime);
-+ order_len = BN_num_bytes(data->grp->order);
-+
-+ if (payload_len != 2 * prime_len + order_len) {
-+ wpa_printf(MSG_INFO,
-+ "EAP-pwd: Unexpected Commit payload length %u (expected %u)",
-+ (unsigned int) payload_len,
-+ (unsigned int) (2 * prime_len + order_len));
-+ goto fin;
-+ }
-+
- if (((data->peer_scalar = BN_new()) == NULL) ||
- ((data->k = BN_new()) == NULL) ||
- ((cofactor = BN_new()) == NULL) ||
-@@ -774,6 +786,13 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data,
- u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr;
- int offset;
-
-+ if (payload_len != SHA256_MAC_LEN) {
-+ wpa_printf(MSG_INFO,
-+ "EAP-pwd: Unexpected Confirm payload length %u (expected %u)",
-+ (unsigned int) payload_len, SHA256_MAC_LEN);
-+ goto fin;
-+ }
-+
- /* build up the ciphersuite: group | random_function | prf */
- grp = htons(data->group_num);
- ptr = (u8 *) &cs;
---
-1.9.1
-
+++ /dev/null
-From 477c74395acd0123340457ba6f15ab345d42016e Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 2 May 2015 19:23:04 +0300
-Subject: [PATCH 3/5] EAP-pwd peer: Fix Total-Length parsing for fragment
- reassembly
-
-The remaining number of bytes in the message could be smaller than the
-Total-Length field size, so the length needs to be explicitly checked
-prior to reading the field and decrementing the len variable. This could
-have resulted in the remaining length becoming negative and interpreted
-as a huge positive integer.
-
-In addition, check that there is no already started fragment in progress
-before allocating a new buffer for reassembling fragments. This avoid a
-potential memory leak when processing invalid message.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index a629437..1d2079b 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -866,11 +866,23 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
- * if it's the first fragment there'll be a length field
- */
- if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
-+ if (len < 2) {
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-pwd: Frame too short to contain Total-Length field");
-+ ret->ignore = TRUE;
-+ return NULL;
-+ }
- tot_len = WPA_GET_BE16(pos);
- wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments whose "
- "total length = %d", tot_len);
- if (tot_len > 15000)
- return NULL;
-+ if (data->inbuf) {
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
-+ ret->ignore = TRUE;
-+ return NULL;
-+ }
- data->inbuf = wpabuf_alloc(tot_len);
- if (data->inbuf == NULL) {
- wpa_printf(MSG_INFO, "Out of memory to buffer "
---
-1.9.1
-
+++ /dev/null
-From 3035cc2894e08319b905bd6561e8bddc8c2db9fa Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 2 May 2015 19:26:06 +0300
-Subject: [PATCH 4/5] EAP-pwd server: Fix Total-Length parsing for fragment
- reassembly
-
-The remaining number of bytes in the message could be smaller than the
-Total-Length field size, so the length needs to be explicitly checked
-prior to reading the field and decrementing the len variable. This could
-have resulted in the remaining length becoming negative and interpreted
-as a huge positive integer.
-
-In addition, check that there is no already started fragment in progress
-before allocating a new buffer for reassembling fragments. This avoid a
-potential memory leak when processing invalid message.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_server/eap_server_pwd.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
-index 3189105..2bfc3c2 100644
---- a/src/eap_server/eap_server_pwd.c
-+++ b/src/eap_server/eap_server_pwd.c
-@@ -942,11 +942,21 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
- * the first fragment has a total length
- */
- if (EAP_PWD_GET_LENGTH_BIT(lm_exch)) {
-+ if (len < 2) {
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-pwd: Frame too short to contain Total-Length field");
-+ return;
-+ }
- tot_len = WPA_GET_BE16(pos);
- wpa_printf(MSG_DEBUG, "EAP-pwd: Incoming fragments, total "
- "length = %d", tot_len);
- if (tot_len > 15000)
- return;
-+ if (data->inbuf) {
-+ wpa_printf(MSG_DEBUG,
-+ "EAP-pwd: Unexpected new fragment start when previous fragment is still in use");
-+ return;
-+ }
- data->inbuf = wpabuf_alloc(tot_len);
- if (data->inbuf == NULL) {
- wpa_printf(MSG_INFO, "EAP-pwd: Out of memory to "
---
-1.9.1
-
+++ /dev/null
-From 28a069a545b06b99eb55ad53f63f2c99e65a98f6 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sat, 2 May 2015 19:26:28 +0300
-Subject: [PATCH 5/5] EAP-pwd peer: Fix asymmetric fragmentation behavior
-
-The L (Length) and M (More) flags needs to be cleared before deciding
-whether the locally generated response requires fragmentation. This
-fixes an issue where these flags from the server could have been invalid
-for the following message. In some cases, this could have resulted in
-triggering the wpabuf security check that would terminate the process
-due to invalid buffer allocation.
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index 1d2079b..e58b13a 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -968,6 +968,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
- /*
- * we have output! Do we need to fragment it?
- */
-+ lm_exch = EAP_PWD_GET_EXCHANGE(lm_exch);
- len = wpabuf_len(data->outbuf);
- if ((len + EAP_PWD_HDR_SIZE) > data->mtu) {
- resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, data->mtu,
---
-1.9.1
-
+++ /dev/null
-From df9079e72760ceb7ebe7fb11538200c516bdd886 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Tue, 7 Jul 2015 21:57:28 +0300
-Subject: [PATCH] NFC: Fix payload length validation in NDEF record parser
-
-It was possible for the 32-bit record->total_length value to end up
-wrapping around due to integer overflow if the longer form of payload
-length field is used and record->payload_length gets a value close to
-2^32. This could result in ndef_parse_record() accepting a too large
-payload length value and the record type filter reading up to about 20
-bytes beyond the end of the buffer and potentially killing the process.
-This could also result in an attempt to allocate close to 2^32 bytes of
-heap memory and if that were to succeed, a buffer read overflow of the
-same length which would most likely result in the process termination.
-In case of record->total_length ending up getting the value 0, there
-would be no buffer read overflow, but record parsing would result in an
-infinite loop in ndef_parse_records().
-
-Any of these error cases could potentially be used for denial of service
-attacks over NFC by using a malformed NDEF record on an NFC Tag or
-sending them during NFC connection handover if the application providing
-the NDEF message to hostapd/wpa_supplicant did no validation of the
-received records. While such validation is likely done in the NFC stack
-that needs to parse the NFC messages before further processing,
-hostapd/wpa_supplicant better be prepared for any data being included
-here.
-
-Fix this by validating record->payload_length value in a way that
-detects integer overflow. (CID 122668)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/wps/ndef.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/src/wps/ndef.c b/src/wps/ndef.c
-index 5604b0a..50d018f 100644
---- a/src/wps/ndef.c
-+++ b/src/wps/ndef.c
-@@ -48,6 +48,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
- if (size < 6)
- return -1;
- record->payload_length = ntohl(*(u32 *)pos);
-+ if (record->payload_length > size - 6)
-+ return -1;
- pos += sizeof(u32);
- }
-
-@@ -68,7 +70,8 @@ static int ndef_parse_record(const u8 *data, u32 size,
- pos += record->payload_length;
-
- record->total_length = pos - data;
-- if (record->total_length > size)
-+ if (record->total_length > size ||
-+ record->total_length < record->payload_length)
- return -1;
- return 0;
- }
---
-1.9.1
-
+++ /dev/null
-From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 25 Oct 2015 15:45:50 +0200
-Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no
- PMF in use
-
-WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is
-enabled. Verify that PMF is in use before using this field on station
-side to avoid accepting unauthenticated key updates. (CVE-2015-5310)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- wpa_supplicant/wnm_sta.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
-index 954de67..7d79499 100644
---- a/wpa_supplicant/wnm_sta.c
-+++ b/wpa_supplicant/wnm_sta.c
-@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s,
- end = ptr + key_len_total;
- wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total);
-
-+ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) {
-+ wpa_msg(wpa_s, MSG_INFO,
-+ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled");
-+ return;
-+ }
-+
- while (ptr + 1 < end) {
- if (ptr + 2 + ptr[1] > end) {
- wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element "
+++ /dev/null
-From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Nov 2015 18:18:17 +0200
-Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation
-
-All but the last fragment had their length checked against the remaining
-room in the reassembly buffer. This allowed a suitably constructed last
-fragment frame to try to add extra data that would go beyond the buffer.
-The length validation code in wpabuf_put_data() prevents an actual
-buffer write overflow from occurring, but this results in process
-termination. (CVE-2015-5315)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 7 +++----
- 1 file changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index 1f78544..75ceef1 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
- /*
- * buffer and ACK the fragment
- */
-- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
-+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
- data->in_frag_pos += len;
- if (data->in_frag_pos > wpabuf_size(data->inbuf)) {
- wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack "
-@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
- return NULL;
- }
- wpabuf_put_data(data->inbuf, pos, len);
--
-+ }
-+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
- resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD,
- EAP_PWD_HDR_SIZE,
- EAP_CODE_RESPONSE, eap_get_id(reqData));
-@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret,
- * we're buffering and this is the last fragment
- */
- if (data->in_frag_pos) {
-- wpabuf_put_data(data->inbuf, pos, len);
- wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
- (int) len);
-- data->in_frag_pos += len;
- pos = wpabuf_head_u8(data->inbuf);
- len = data->in_frag_pos;
- }
---
-1.9.1
-
+++ /dev/null
-From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Nov 2015 18:24:16 +0200
-Subject: [PATCH] EAP-pwd server: Fix last fragment length validation
-
-All but the last fragment had their length checked against the remaining
-room in the reassembly buffer. This allowed a suitably constructed last
-fragment frame to try to add extra data that would go beyond the buffer.
-The length validation code in wpabuf_put_data() prevents an actual
-buffer write overflow from occurring, but this results in process
-termination. (CVE-2015-5314)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_server/eap_server_pwd.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
-index cb83ff7..9f787ab 100644
---- a/src/eap_server/eap_server_pwd.c
-+++ b/src/eap_server/eap_server_pwd.c
-@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
- /*
- * the first and all intermediate fragments have the M bit set
- */
-- if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
-+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) {
- if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) {
- wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow "
- "attack detected! (%d+%d > %d)",
-@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
- }
- wpabuf_put_data(data->inbuf, pos, len);
- data->in_frag_pos += len;
-+ }
-+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) {
- wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment",
- (int) len);
- return;
-@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv,
- * buffering fragments so that's how we know it's the last)
- */
- if (data->in_frag_pos) {
-- wpabuf_put_data(data->inbuf, pos, len);
-- data->in_frag_pos += len;
- pos = wpabuf_head_u8(data->inbuf);
- len = data->in_frag_pos;
- wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes",
---
-1.9.1
-
+++ /dev/null
-From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001
-From: Jouni Malinen <j@w1.fi>
-Date: Sun, 1 Nov 2015 19:35:44 +0200
-Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message
-
-If the Confirm message is received from the server before the Identity
-exchange has been completed, the group has not yet been determined and
-data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange()
-did not take this corner case into account and could end up
-dereferencing a NULL pointer and terminating the process if invalid
-message sequence is received. (CVE-2015-5316)
-
-Signed-off-by: Jouni Malinen <j@w1.fi>
----
- src/eap_peer/eap_pwd.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c
-index 75ceef1..892b590 100644
---- a/src/eap_peer/eap_pwd.c
-+++ b/src/eap_peer/eap_pwd.c
-@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data,
- wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN);
-
- fin:
-- bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
-+ if (data->grp)
-+ bin_clear_free(cruft, BN_num_bytes(data->grp->prime));
- BN_clear_free(x);
- BN_clear_free(y);
- if (data->outbuf == NULL) {
---
-1.9.1
-
+++ /dev/null
-From f4830bed661f4adff51f50a0d37c64ceb748e780 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Mon, 25 Apr 2016 17:10:47 +0200
-Subject: [PATCH] nl80211: Try running without mgmt frame subscription (driver
- AP SME)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-One of supported code paths already allows this scenario. It is used if
-driver doesn't report NL80211_ATTR_DEVICE_AP_SME and doesn't support
-monitor interface. In such situation:
-1) We don't quit if subscribing for WLAN_FC_STYPE_PROBE_REQ fails
-2) We don't try subscribing for WLAN_FC_STYPE_ACTION
-3) We fallback to AP SME mode after failing to create monitor interface
-4) We don't quit if subscribing for WLAN_FC_STYPE_PROBE_REQ fails
-Above scenario is used, e.g., with brcmfmac. As you can see - thanks to
-events provided by cfg80211 - it's not really required to receive Probe
-Request or action frames.
-
-However, the previous implementation did not allow using hostapd with
-drivers that:
-1) Report NL80211_ATTR_DEVICE_AP_SME
-2) Don't support subscribing for PROBE_REQ and/or ACTION frames
-In case of using such a driver hostapd will cancel setup after failing
-to subscribe for WLAN_FC_STYPE_ACTION. I noticed it after setting flag
-WIPHY_FLAG_HAVE_AP_SME in brcmfmac driver for my experiments.
-
-This patch allows working with such drivers with just a small warning
-printed as debug message.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
----
- src/drivers/driver_nl80211.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
---- a/src/drivers/driver_nl80211.c
-+++ b/src/drivers/driver_nl80211.c
-@@ -4108,7 +4108,8 @@ static int nl80211_setup_ap(struct i802_
-
- if (drv->device_ap_sme && !drv->use_monitor)
- if (nl80211_mgmt_subscribe_ap_dev_sme(bss))
-- return -1;
-+ wpa_printf(MSG_DEBUG,
-+ "nl80211: Failed to subscribe for mgmt frames from SME driver - trying to run without it");
-
- if (!drv->device_ap_sme && drv->use_monitor &&
- nl80211_create_monitor_interface(drv) &&
+++ /dev/null
---- a/src/ap/ieee802_1x.c
-+++ b/src/ap/ieee802_1x.c
-@@ -2332,9 +2332,9 @@ void ieee802_1x_notify_pre_auth(struct e
- }
-
-
--static const char * bool_txt(Boolean bool)
-+static const char * bool_txt(Boolean bool_val)
- {
-- return bool ? "TRUE" : "FALSE";
-+ return bool_val ? "TRUE" : "FALSE";
- }
-
-
#ifdef ANDROID
#include <sys/capability.h>
-@@ -155,59 +156,46 @@ int os_gmtime(os_time_t t, struct os_tm
+@@ -179,59 +180,46 @@ int os_gmtime(os_time_t t, struct os_tm
return 0;
}
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
-@@ -252,9 +252,10 @@ void wpa_supplicant_cancel_auth_timeout(
+@@ -253,9 +253,10 @@ void wpa_supplicant_cancel_auth_timeout(
*/
void wpa_supplicant_initiate_eapol(struct wpa_supplicant *wpa_s)
{
--- a/src/l2_packet/l2_packet_linux.c
+++ b/src/l2_packet/l2_packet_linux.c
-@@ -307,8 +307,7 @@ struct l2_packet_data * l2_packet_init_b
+@@ -337,8 +337,7 @@ struct l2_packet_data * l2_packet_init_b
l2 = l2_packet_init(br_ifname, own_addr, protocol, rx_callback,
rx_callback_ctx, l2_hdr);
- return NULL;
+ return l2;
+ #ifndef CONFIG_NO_LINUX_PACKET_SOCKET_WAR
/*
- * The Linux packet socket behavior has changed over the years and there
+++ /dev/null
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Mon, 11 Jan 2016 19:18:06 +0100
-Subject: [PATCH] nl80211: Report disassociated STA / lost peer for the correct
- BSS
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-We shouldn't use drv->ctx as it always points to the first BSS. When
-using FullMAC driver with multi-BSS support it resulted in incorrect
-treating nl80211 events. I noticed with with brcmfmac and BCM43602.
-
-Before my change I was getting "disassociated" on a wrong interface:
-wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: associated
-wlan0-1: STA 78:d6:f0:00:11:22 WPA: pairwise key handshake completed (RSN)
-wlan0: STA 78:d6:f0:00:11:22 IEEE 802.11: disassociated
-
-With this patch it works as expected:
-wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: associated
-wlan0-1: STA 78:d6:f0:00:11:22 WPA: pairwise key handshake completed (RSN)
-wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: disassociated
-
-This doesn't apply to hostapd dealing with SoftMAC drivers when handling
-AP SME & MLME is done it hostapd not the firmware.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
----
- src/drivers/driver_nl80211_event.c | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
---- a/src/drivers/driver_nl80211_event.c
-+++ b/src/drivers/driver_nl80211_event.c
-@@ -1154,6 +1154,7 @@ static void nl80211_new_station_event(st
-
-
- static void nl80211_del_station_event(struct wpa_driver_nl80211_data *drv,
-+ struct i802_bss *bss,
- struct nlattr **tb)
- {
- u8 *addr;
-@@ -1166,7 +1167,7 @@ static void nl80211_del_station_event(st
- MAC2STR(addr));
-
- if (is_ap_interface(drv->nlmode) && drv->device_ap_sme) {
-- drv_event_disassoc(drv->ctx, addr);
-+ drv_event_disassoc(bss->ctx, addr);
- return;
- }
-
-@@ -1175,7 +1176,7 @@ static void nl80211_del_station_event(st
-
- os_memset(&data, 0, sizeof(data));
- os_memcpy(data.ibss_peer_lost.peer, addr, ETH_ALEN);
-- wpa_supplicant_event(drv->ctx, EVENT_IBSS_PEER_LOST, &data);
-+ wpa_supplicant_event(bss->ctx, EVENT_IBSS_PEER_LOST, &data);
- }
-
-
-@@ -1939,7 +1940,7 @@ static void do_process_drv_event(struct
- nl80211_new_station_event(drv, bss, tb);
- break;
- case NL80211_CMD_DEL_STATION:
-- nl80211_del_station_event(drv, tb);
-+ nl80211_del_station_event(drv, bss, tb);
- break;
- case NL80211_CMD_SET_REKEY_OFFLOAD:
- nl80211_rekey_offload_event(drv, tb);
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
-@@ -17,6 +17,7 @@ export BINDIR ?= /usr/local/bin/
+@@ -32,6 +32,7 @@ export BINDIR ?= /usr/local/bin/
# CFLAGS += -DUSE_KERNEL_HEADERS -I/usr/src/linux/include
-include .config
+-include $(if $(MULTICALL), ../wpa_supplicant/.config)
- ifdef CONFIG_TESTING_OPTIONS
- CFLAGS += -DCONFIG_TESTING_OPTIONS
-@@ -242,10 +243,14 @@ ifdef CONFIG_IEEE80211AC
+ ifndef CONFIG_NO_GITVER
+ # Add VERSION_STR postfix for builds from a git repository
+@@ -277,10 +278,14 @@ ifdef CONFIG_IEEE80211AC
CFLAGS += -DCONFIG_IEEE80211AC
endif
LIBS += $(DRV_AP_LIBS)
ifdef CONFIG_L2_PACKET
-@@ -941,6 +946,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
+@@ -1019,6 +1024,12 @@ install: $(addprefix $(DESTDIR)$(BINDIR)
BCHECK=../src/drivers/build.hostapd
hostapd: $(BCHECK) $(OBJS)
$(Q)$(CC) $(LDFLAGS) -o hostapd $(OBJS) $(LIBS)
@$(E) " LD " $@
-@@ -980,6 +991,12 @@ HOBJS += ../src/crypto/aes-internal.o
+@@ -1060,6 +1071,12 @@ HOBJS += ../src/crypto/aes-internal.o
HOBJS += ../src/crypto/aes-internal-enc.o
endif
@$(E) " LD " $@
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
-@@ -15,6 +15,7 @@ CFLAGS += -I$(abspath ../src)
+@@ -27,6 +27,7 @@ CFLAGS += -I$(abspath ../src)
CFLAGS += -I$(abspath ../src/utils)
-include .config
+-include $(if $(MULTICALL),../hostapd/.config)
- ifdef CONFIG_TESTING_OPTIONS
- CFLAGS += -DCONFIG_TESTING_OPTIONS
-@@ -773,6 +774,10 @@ ifdef CONFIG_DYNAMIC_EAP_METHODS
+ ifndef CONFIG_NO_GITVER
+ # Add VERSION_STR postfix for builds from a git repository
+@@ -794,6 +795,10 @@ ifdef CONFIG_DYNAMIC_EAP_METHODS
CFLAGS += -DCONFIG_DYNAMIC_EAP_METHODS
LIBS += -ldl -rdynamic
endif
endif
ifdef CONFIG_MACSEC
-@@ -793,9 +798,11 @@ NEED_EAP_COMMON=y
+@@ -814,9 +819,11 @@ NEED_EAP_COMMON=y
NEED_RSN_AUTHENTICATOR=y
CFLAGS += -DCONFIG_AP
OBJS += ap.o
OBJS += ../src/ap/hostapd.o
OBJS += ../src/ap/wpa_auth_glue.o
OBJS += ../src/ap/utils.o
-@@ -858,10 +865,18 @@ endif
+@@ -879,10 +886,18 @@ endif
ifdef CONFIG_HS20
OBJS += ../src/ap/hs20.o
endif
NEED_AES_WRAP=y
OBJS += ../src/ap/wpa_auth.o
OBJS += ../src/ap/wpa_auth_ie.o
-@@ -1603,6 +1618,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
+@@ -1657,6 +1672,12 @@ wpa_priv: $(BCHECK) $(OBJS_priv)
$(OBJS_c) $(OBJS_t) $(OBJS_t2) $(OBJS) $(BCHECK) $(EXTRA_progs): .config
wpa_supplicant: $(BCHECK) $(OBJS) $(EXTRA_progs)
$(Q)$(LDO) $(LDFLAGS) -o wpa_supplicant $(OBJS) $(LIBS) $(EXTRALIBS)
@$(E) " LD " $@
-@@ -1694,6 +1715,12 @@ endif
+@@ -1757,6 +1778,12 @@ endif
$(Q)sed -e 's|\@BINDIR\@|$(BINDIR)|g' $< >$@
@$(E) " sed" $<
wpa_cli.exe: wpa_cli
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
-@@ -4581,8 +4581,8 @@ union wpa_event_data {
+@@ -4707,8 +4707,8 @@ union wpa_event_data {
* Driver wrapper code should call this function whenever an event is received
* from the driver.
*/
/*
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
-@@ -1075,8 +1075,8 @@ static void hostapd_event_dfs_cac_starte
+@@ -1122,8 +1122,8 @@ static void hostapd_event_dfs_cac_starte
#endif /* NEED_AP_MLME */
#ifndef CONFIG_NO_STDOUT_DEBUG
--- a/wpa_supplicant/wpa_priv.c
+++ b/wpa_supplicant/wpa_priv.c
-@@ -819,8 +819,8 @@ static void wpa_priv_send_ft_response(st
+@@ -932,8 +932,8 @@ static void wpa_priv_send_ft_response(st
}
{
struct wpa_priv_interface *iface = ctx;
-@@ -961,6 +961,7 @@ int main(int argc, char *argv[])
+@@ -1082,6 +1082,7 @@ int main(int argc, char *argv[])
if (os_program_init())
return -1;
for (;;) {
--- a/wpa_supplicant/events.c
+++ b/wpa_supplicant/events.c
-@@ -3138,8 +3138,8 @@ static void wpa_supplicant_event_assoc_a
+@@ -3298,8 +3298,8 @@ static void wpa_supplicant_event_assoc_a
}
+ union wpa_event_data *data)
{
struct wpa_supplicant *wpa_s = ctx;
-
+ int resched;
+@@ -3947,7 +3947,7 @@ void wpa_supplicant_event(void *ctx, enu
+ #endif /* CONFIG_AP */
+ break;
+ case EVENT_ACS_CHANNEL_SELECTED:
+-#ifdef CONFIG_ACS
++#if defined(CONFIG_ACS) && defined(CONFIG_AP)
+ if (!wpa_s->ap_iface)
+ break;
+ hostapd_acs_channel_selected(wpa_s->ap_iface->bss[0],
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
-@@ -4300,6 +4300,9 @@ static void wpa_supplicant_deinit_iface(
+@@ -4845,6 +4845,9 @@ static void wpa_supplicant_deinit_iface(
os_free(wpa_s);
}
/**
* wpa_supplicant_add_iface - Add a new network interface
-@@ -4526,6 +4529,7 @@ struct wpa_global * wpa_supplicant_init(
+@@ -5100,6 +5103,7 @@ struct wpa_global * wpa_supplicant_init(
#ifndef CONFIG_NO_WPA_MSG
wpa_msg_register_ifname_cb(wpa_supplicant_msg_ifname_cb);
#endif /* CONFIG_NO_WPA_MSG */
wpa_debug_open_file(params->wpa_debug_file_path);
--- a/hostapd/main.c
+++ b/hostapd/main.c
-@@ -511,6 +511,9 @@ static int hostapd_get_ctrl_iface_group(
+@@ -513,6 +513,9 @@ static int hostapd_get_ctrl_iface_group(
return 0;
}
#ifdef CONFIG_WPS
static int gen_uuid(const char *txt_addr)
-@@ -562,6 +565,7 @@ int main(int argc, char *argv[])
- interfaces.global_iface_name = NULL;
+@@ -588,6 +591,7 @@ int main(int argc, char *argv[])
interfaces.global_ctrl_sock = -1;
+ interfaces.global_ctrl_dst = NULL;
+ wpa_supplicant_event = hostapd_wpa_event;
for (;;) {
- c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:vg:G:");
+ c = getopt(argc, argv, "b:Bde:f:hKP:STtu:vg:G:");
if (c < 0)
--- a/src/drivers/drivers.c
+++ b/src/drivers/drivers.c
#endif /* CONFIG_DRIVER_WEXT */
--- a/wpa_supplicant/eapol_test.c
+++ b/wpa_supplicant/eapol_test.c
-@@ -28,8 +28,12 @@
+@@ -29,7 +29,10 @@
#include "ctrl_iface.h"
#include "pcsc_funcs.h"
#include "wpas_glue.h"
+#include "drivers/driver.h"
-
+void (*wpa_supplicant_event)(void *ctx, enum wpa_event_type event,
+ union wpa_event_data *data);
-+
- struct wpa_driver_ops *wpa_drivers[] = { NULL };
+ const struct wpa_driver_ops *const wpa_drivers[] = { NULL };
-@@ -1203,6 +1207,8 @@ static void usage(void)
+@@ -1288,6 +1291,8 @@ static void usage(void)
"option several times.\n");
}
int main(int argc, char *argv[])
{
-@@ -1221,6 +1227,7 @@ int main(int argc, char *argv[])
+@@ -1308,6 +1313,7 @@ int main(int argc, char *argv[])
if (os_program_init())
return -1;
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
-@@ -2771,6 +2771,10 @@ static int hostapd_config_fill(struct ho
+@@ -2852,6 +2852,10 @@ static int hostapd_config_fill(struct ho
}
#endif /* CONFIG_IEEE80211W */
#ifdef CONFIG_IEEE80211N
} else if (os_strcmp(buf, "ht_capab") == 0) {
--- a/src/ap/ap_config.h
+++ b/src/ap/ap_config.h
-@@ -619,6 +619,8 @@ struct hostapd_config {
+@@ -639,6 +639,8 @@ struct hostapd_config {
int ht_op_mode_fixed;
u16 ht_capab;
+ int no_ht_coex;
int ieee80211n;
int secondary_channel;
- int require_ht;
+ int no_pri_sec_switch;
--- a/src/ap/hw_features.c
+++ b/src/ap/hw_features.c
-@@ -461,7 +461,7 @@ static int ieee80211n_check_40mhz(struct
- struct wpa_driver_scan_params params;
+@@ -473,7 +473,8 @@ static int ieee80211n_check_40mhz(struct
int ret;
-- if (!iface->conf->secondary_channel)
-+ if (!iface->conf->secondary_channel || iface->conf->noscan)
- return 0; /* HT40 not used */
+ /* Check that HT40 is used and PRI / SEC switch is allowed */
+- if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch)
++ if (!iface->conf->secondary_channel || iface->conf->no_pri_sec_switch ||
++ iface->conf->noscan)
+ return 0;
hostapd_set_state(iface, HAPD_IFACE_HT_SCAN);
--- a/src/ap/ieee802_11_ht.c
+++ b/src/ap/ieee802_11_ht.c
-@@ -221,6 +221,9 @@ void hostapd_2040_coex_action(struct hos
+@@ -244,6 +244,9 @@ void hostapd_2040_coex_action(struct hos
if (!(iface->conf->ht_capab & HT_CAP_INFO_SUPP_CHANNEL_WIDTH_SET))
return;
if (len < IEEE80211_HDRLEN + 2 + sizeof(*bc_ie))
return;
-@@ -346,6 +349,9 @@ void ht40_intolerant_add(struct hostapd_
+@@ -368,6 +371,9 @@ void ht40_intolerant_add(struct hostapd_
if (iface->current_mode->mode != HOSTAPD_MODE_IEEE80211G)
return;
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
-@@ -3249,7 +3249,7 @@ wpa_supplicant_alloc(struct wpa_supplica
+@@ -3449,7 +3449,7 @@ wpa_supplicant_alloc(struct wpa_supplica
if (wpa_s == NULL)
return NULL;
wpa_s->scan_req = INITIAL_SCAN_REQ;
--- a/src/drivers/drivers.mak
+++ b/src/drivers/drivers.mak
-@@ -34,7 +34,6 @@ NEED_SME=y
+@@ -37,7 +37,6 @@ NEED_SME=y
NEED_AP_MLME=y
NEED_NETLINK=y
NEED_LINUX_IOCTL=y
ifdef CONFIG_LIBNL32
DRV_LIBS += -lnl-3
-@@ -116,7 +115,6 @@ DRV_WPA_CFLAGS += -DCONFIG_DRIVER_WEXT
+@@ -121,7 +120,6 @@ DRV_WPA_CFLAGS += -DCONFIG_DRIVER_WEXT
CONFIG_WIRELESS_EXTENSION=y
NEED_NETLINK=y
NEED_LINUX_IOCTL=y
endif
ifdef CONFIG_DRIVER_NDIS
-@@ -142,7 +140,6 @@ endif
+@@ -147,7 +145,6 @@ endif
ifdef CONFIG_WIRELESS_EXTENSION
DRV_WPA_CFLAGS += -DCONFIG_WIRELESS_EXTENSION
DRV_WPA_OBJS += ../src/drivers/driver_wext.o
endif
ifdef NEED_NETLINK
-@@ -155,6 +152,7 @@ endif
+@@ -160,6 +157,7 @@ endif
ifdef NEED_RFKILL
DRV_OBJS += ../src/drivers/rfkill.o
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
-@@ -3616,7 +3616,7 @@ static int nl80211_set_channel(struct i8
+@@ -3708,7 +3708,7 @@ static int nl80211_set_channel(struct i8
freq->freq, freq->ht_enabled, freq->vht_enabled,
freq->bandwidth, freq->center_freq1, freq->center_freq2);
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
-@@ -76,6 +76,16 @@ static void hostapd_reload_bss(struct ho
+@@ -78,6 +78,16 @@ static void hostapd_reload_bss(struct ho
#endif /* CONFIG_NO_RADIUS */
ssid = &hapd->conf->ssid;
if (!ssid->wpa_psk_set && ssid->wpa_psk && !ssid->wpa_psk->next &&
ssid->wpa_passphrase_set && ssid->wpa_passphrase) {
/*
-@@ -175,21 +185,12 @@ int hostapd_reload_config(struct hostapd
+@@ -177,21 +187,12 @@ int hostapd_reload_config(struct hostapd
oldconf = hapd->iconf;
iface->conf = newconf;
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
-@@ -2254,13 +2254,18 @@ wpa_driver_nl80211_finish_drv_init(struc
+@@ -2323,13 +2323,18 @@ wpa_driver_nl80211_finish_drv_init(struc
}
return send_and_recv_msgs(drv, msg, NULL, NULL);
}
-@@ -2311,7 +2316,7 @@ static void wpa_driver_nl80211_deinit(st
+@@ -2380,7 +2385,7 @@ static void wpa_driver_nl80211_deinit(st
nl80211_remove_monitor_interface(drv);
if (is_ap_interface(drv->nlmode))
if (drv->eapol_sock >= 0) {
eloop_unregister_read_sock(drv->eapol_sock);
-@@ -4140,8 +4145,7 @@ static void nl80211_teardown_ap(struct i
+@@ -4232,8 +4237,7 @@ static void nl80211_teardown_ap(struct i
nl80211_remove_monitor_interface(drv);
else
nl80211_mgmt_unsubscribe(bss, "AP teardown");
}
-@@ -6066,8 +6070,6 @@ static int wpa_driver_nl80211_if_remove(
+@@ -6164,8 +6168,6 @@ static int wpa_driver_nl80211_if_remove(
} else {
wpa_printf(MSG_DEBUG, "nl80211: First BSS - reassign context");
nl80211_teardown_ap(bss);
nl80211_destroy_bss(bss);
if (!bss->added_if)
i802_set_iface_flags(bss, 0);
-@@ -6389,8 +6391,7 @@ static int wpa_driver_nl80211_deinit_ap(
+@@ -6527,8 +6529,7 @@ static int wpa_driver_nl80211_deinit_ap(
struct wpa_driver_nl80211_data *drv = bss->drv;
if (!is_ap_interface(drv->nlmode))
return -1;
/*
* If the P2P GO interface was dynamically added, then it is
-@@ -6409,8 +6410,7 @@ static int wpa_driver_nl80211_stop_ap(vo
+@@ -6547,8 +6548,7 @@ static int wpa_driver_nl80211_stop_ap(vo
struct wpa_driver_nl80211_data *drv = bss->drv;
if (!is_ap_interface(drv->nlmode))
return -1;
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
-@@ -45,6 +45,7 @@
- #include "wps/wps.h"
+@@ -47,6 +47,7 @@
+ #include "fst/fst_ctrl_iface.h"
#include "config_file.h"
#include "ctrl_iface.h"
+#include "config_file.h"
- struct wpa_ctrl_dst {
-@@ -55,6 +56,7 @@ struct wpa_ctrl_dst {
+ #define HOSTAPD_CLI_DUP_VALUE_MAX_LEN 256
+@@ -59,6 +60,7 @@ struct wpa_ctrl_dst {
int errors;
};
+static char *reload_opts = NULL;
static void hostapd_ctrl_iface_send(struct hostapd_data *hapd, int level,
- const char *buf, size_t len);
-@@ -164,6 +166,61 @@ static int hostapd_ctrl_iface_new_sta(st
+ enum wpa_msg_type type,
+@@ -169,6 +171,61 @@ static int hostapd_ctrl_iface_new_sta(st
return 0;
}
#ifdef CONFIG_IEEE80211W
#ifdef NEED_AP_MLME
-@@ -2086,6 +2143,8 @@ static void hostapd_ctrl_iface_receive(i
+@@ -2257,6 +2314,8 @@ static int hostapd_ctrl_iface_receive_pr
} else if (os_strncmp(buf, "VENDOR ", 7) == 0) {
reply_len = hostapd_ctrl_iface_vendor(hapd, buf + 7, reply,
reply_size);
#ifdef RADIUS_SERVER
--- a/src/ap/ctrl_iface_ap.c
+++ b/src/ap/ctrl_iface_ap.c
-@@ -541,5 +541,11 @@ int hostapd_parse_csa_settings(const cha
+@@ -552,5 +552,11 @@ int hostapd_parse_csa_settings(const cha
int hostapd_ctrl_iface_stop_ap(struct hostapd_data *hapd)
{
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
-@@ -110,6 +110,11 @@ struct wpa_interface {
+@@ -99,6 +99,11 @@ struct wpa_interface {
const char *ifname;
/**
* bridge_ifname - Optional bridge interface name
*
* If the driver interface (ifname) is included in a Linux bridge
-@@ -442,6 +447,8 @@ struct wpa_supplicant {
+@@ -465,6 +470,8 @@ struct wpa_supplicant {
#endif /* CONFIG_CTRL_IFACE_DBUS_NEW */
char bridge_ifname[16];
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
-@@ -14,6 +14,10 @@ CFLAGS += $(EXTRA_CFLAGS)
+@@ -26,6 +26,10 @@ CFLAGS += $(EXTRA_CFLAGS)
CFLAGS += -I$(abspath ../src)
CFLAGS += -I$(abspath ../src/utils)
-include .config
-include $(if $(MULTICALL),../hostapd/.config)
-@@ -84,6 +88,8 @@ OBJS_c += ../src/utils/wpa_debug.o
+@@ -113,6 +117,8 @@ OBJS_c += ../src/utils/wpa_debug.o
OBJS_c += ../src/utils/common.o
OBJS += wmm_ac.o
CONFIG_OS=win32
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
-@@ -107,6 +107,55 @@ const char *wpa_supplicant_full_license5
+@@ -108,6 +108,55 @@ const char *const wpa_supplicant_full_li
"\n";
#endif /* CONFIG_NO_STDOUT_DEBUG */
+ int ret;
+
+ if (!bss)
-+ return;
++ return -1;
+
+ if (bss->ht_param & HT_INFO_HT_PARAM_STA_CHNL_WIDTH) {
+ int sec = bss->ht_param & HT_INFO_HT_PARAM_SECONDARY_CHNL_OFF_MASK;
/* Configure default/group WEP keys for static WEP */
int wpa_set_wep_keys(struct wpa_supplicant *wpa_s, struct wpa_ssid *ssid)
{
-@@ -743,8 +792,12 @@ void wpa_supplicant_set_state(struct wpa
+@@ -783,8 +832,12 @@ void wpa_supplicant_set_state(struct wpa
wpas_p2p_completed(wpa_s);
sme_sched_obss_scan(wpa_s, 1);
wpa_s->new_connection = 1;
wpa_drv_set_operstate(wpa_s, 0);
#ifndef IEEE8021X_EAPOL
-@@ -4038,6 +4091,20 @@ static int wpa_supplicant_init_iface(str
+@@ -4537,6 +4590,20 @@ static int wpa_supplicant_init_iface(str
sizeof(wpa_s->bridge_ifname));
}
/* RSNA Supplicant Key Management - INITIALIZE */
eapol_sm_notify_portEnabled(wpa_s->eapol, FALSE);
eapol_sm_notify_portValid(wpa_s->eapol, FALSE);
-@@ -4280,6 +4347,11 @@ static void wpa_supplicant_deinit_iface(
+@@ -4823,6 +4890,11 @@ static void wpa_supplicant_deinit_iface(
if (terminate)
wpa_msg(wpa_s, MSG_INFO, WPA_EVENT_TERMINATING);
#include "drivers/driver.h"
#include "wpa_supplicant_i.h"
#include "config.h"
-@@ -277,6 +278,10 @@ static void calculate_update_time(const
+@@ -287,6 +288,10 @@ static void calculate_update_time(const
static void wpa_bss_copy_res(struct wpa_bss *dst, struct wpa_scan_res *src,
struct os_reltime *fetch_time)
{
dst->flags = src->flags;
os_memcpy(dst->bssid, src->bssid, ETH_ALEN);
dst->freq = src->freq;
-@@ -289,6 +294,15 @@ static void wpa_bss_copy_res(struct wpa_
+@@ -299,6 +304,15 @@ static void wpa_bss_copy_res(struct wpa_
dst->est_throughput = src->est_throughput;
dst->snr = src->snr;
--- a/wpa_supplicant/main.c
+++ b/wpa_supplicant/main.c
-@@ -33,7 +33,7 @@ static void usage(void)
+@@ -34,7 +34,7 @@ static void usage(void)
"vW] [-P<pid file>] "
"[-g<global ctrl>] \\\n"
" [-G<group>] \\\n"
"[-p<driver_param>] \\\n"
" [-b<br_ifname>] [-e<entropy file>]"
#ifdef CONFIG_DEBUG_FILE
-@@ -84,6 +84,7 @@ static void usage(void)
- #endif /* CONFIG_DEBUG_LINUX_TRACING */
- printf(" -t = include timestamp in debug messages\n"
+@@ -74,6 +74,7 @@ static void usage(void)
+ " -g = global ctrl_interface\n"
+ " -G = global ctrl_interface group\n"
" -h = show this help text\n"
+ " -H = connect to a hostapd instance to manage state changes\n"
- " -L = show license (BSD)\n"
- " -o = override driver parameter for new interfaces\n"
- " -O = override ctrl_interface parameter for new interfaces\n"
-@@ -175,7 +176,7 @@ int main(int argc, char *argv[])
+ " -i = interface name\n"
+ " -I = additional configuration file\n"
+ " -K = include keys (passwords, etc.) in debug output\n"
+@@ -176,7 +177,7 @@ int main(int argc, char *argv[])
for (;;) {
c = getopt(argc, argv,
if (c < 0)
break;
switch (c) {
-@@ -222,6 +223,9 @@ int main(int argc, char *argv[])
+@@ -223,6 +224,9 @@ int main(int argc, char *argv[])
usage();
exitcode = 0;
goto out;
break;
--- a/wpa_supplicant/bss.h
+++ b/wpa_supplicant/bss.h
-@@ -72,6 +72,10 @@ struct wpa_bss {
- u8 ssid[32];
+@@ -79,6 +79,10 @@ struct wpa_bss {
+ u8 ssid[SSID_MAX_LEN];
/** Length of SSID */
size_t ssid_len;
+ /** HT caapbilities */
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
-@@ -168,6 +168,9 @@ endif
+@@ -202,6 +202,9 @@ endif
ifdef CONFIG_NO_CTRL_IFACE
CFLAGS += -DCONFIG_NO_CTRL_IFACE
else
endif
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
-@@ -1953,6 +1953,7 @@ static void hostapd_ctrl_iface_receive(i
+@@ -2119,6 +2119,7 @@ static int hostapd_ctrl_iface_receive_pr
reply_size);
} else if (os_strcmp(buf, "STATUS-DRIVER") == 0) {
reply_len = hostapd_drv_status(hapd, reply, reply_size);
} else if (os_strcmp(buf, "MIB") == 0) {
reply_len = ieee802_11_get_mib(hapd, reply, reply_size);
if (reply_len >= 0) {
-@@ -1994,6 +1995,7 @@ static void hostapd_ctrl_iface_receive(i
+@@ -2160,6 +2161,7 @@ static int hostapd_ctrl_iface_receive_pr
} else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
reply_len = hostapd_ctrl_iface_sta_next(hapd, buf + 9, reply,
reply_size);
+#endif
} else if (os_strcmp(buf, "ATTACH") == 0) {
- if (hostapd_ctrl_iface_attach(hapd, &from, fromlen))
+ if (hostapd_ctrl_iface_attach(hapd, from, fromlen))
reply_len = -1;
--- a/wpa_supplicant/Makefile
+++ b/wpa_supplicant/Makefile
-@@ -837,6 +837,9 @@ ifdef CONFIG_WNM
+@@ -858,6 +858,9 @@ ifdef CONFIG_WNM
OBJS += ../src/ap/wnm_ap.o
endif
ifdef CONFIG_CTRL_IFACE
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
-@@ -1795,7 +1795,7 @@ static int wpa_supplicant_ctrl_iface_sta
+@@ -1858,7 +1858,7 @@ static int wpa_supplicant_ctrl_iface_sta
pos += ret;
}
if (wpa_s->ap_iface) {
pos += ap_ctrl_iface_wpa_get_status(wpa_s, pos,
end - pos,
-@@ -7896,6 +7896,7 @@ char * wpa_supplicant_ctrl_iface_process
+@@ -8352,6 +8352,7 @@ char * wpa_supplicant_ctrl_iface_process
reply_len = -1;
} else if (os_strncmp(buf, "NOTE ", 5) == 0) {
wpa_printf(MSG_INFO, "NOTE: %s", buf + 5);
} else if (os_strcmp(buf, "MIB") == 0) {
reply_len = wpa_sm_get_mib(wpa_s->wpa, reply, reply_size);
if (reply_len >= 0) {
-@@ -7903,6 +7904,7 @@ char * wpa_supplicant_ctrl_iface_process
+@@ -8359,6 +8360,7 @@ char * wpa_supplicant_ctrl_iface_process
reply + reply_len,
reply_size - reply_len);
}
} else if (os_strncmp(buf, "STATUS", 6) == 0) {
reply_len = wpa_supplicant_ctrl_iface_status(
wpa_s, buf + 6, reply, reply_size);
-@@ -8353,6 +8355,7 @@ char * wpa_supplicant_ctrl_iface_process
+@@ -8821,6 +8823,7 @@ char * wpa_supplicant_ctrl_iface_process
reply_len = wpa_supplicant_ctrl_iface_bss(
wpa_s, buf + 4, reply, reply_size);
#ifdef CONFIG_AP
} else if (os_strcmp(buf, "STA-FIRST") == 0) {
reply_len = ap_ctrl_iface_sta_first(wpa_s, reply, reply_size);
} else if (os_strncmp(buf, "STA ", 4) == 0) {
-@@ -8361,12 +8364,15 @@ char * wpa_supplicant_ctrl_iface_process
+@@ -8829,12 +8832,15 @@ char * wpa_supplicant_ctrl_iface_process
} else if (os_strncmp(buf, "STA-NEXT ", 9) == 0) {
reply_len = ap_ctrl_iface_sta_next(wpa_s, buf + 9, reply,
reply_size);
reply_len = -1;
--- a/src/ap/ctrl_iface_ap.c
+++ b/src/ap/ctrl_iface_ap.c
-@@ -22,6 +22,7 @@
+@@ -23,6 +23,7 @@
#include "ctrl_iface_ap.h"
#include "ap_drv_ops.h"
static int hostapd_get_sta_tx_rx(struct hostapd_data *hapd,
struct sta_info *sta,
-@@ -224,6 +225,7 @@ int hostapd_ctrl_iface_sta_next(struct h
+@@ -235,6 +236,7 @@ int hostapd_ctrl_iface_sta_next(struct h
return hostapd_ctrl_iface_sta_mib(hapd, sta->next, buf, buflen);
}
static int p2p_manager_disconnect(struct hostapd_data *hapd, u16 stype,
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
-@@ -2337,6 +2337,7 @@ static const char * bool_txt(Boolean boo
- return bool_val ? "TRUE" : "FALSE";
+@@ -2359,6 +2359,7 @@ static const char * bool_txt(Boolean val
+ return val ? "TRUE" : "FALSE";
}
+#ifdef CONFIG_CTRL_IFACE_MIB
int ieee802_1x_get_mib(struct hostapd_data *hapd, char *buf, size_t buflen)
{
-@@ -2512,6 +2513,7 @@ int ieee802_1x_get_mib_sta(struct hostap
+@@ -2534,6 +2535,7 @@ int ieee802_1x_get_mib_sta(struct hostap
return len;
}
+#endif
- static void ieee802_1x_finished(struct hostapd_data *hapd,
- struct sta_info *sta, int success,
+ #ifdef CONFIG_HS20
+ static void ieee802_1x_wnm_notif_send(void *eloop_ctx, void *timeout_ctx)
--- a/src/ap/wpa_auth.c
+++ b/src/ap/wpa_auth.c
-@@ -2999,6 +2999,7 @@ static const char * wpa_bool_txt(int boo
- return bool ? "TRUE" : "FALSE";
+@@ -3069,6 +3069,7 @@ static const char * wpa_bool_txt(int val
+ return val ? "TRUE" : "FALSE";
}
+#ifdef CONFIG_CTRL_IFACE_MIB
#define RSN_SUITE "%02x-%02x-%02x-%d"
#define RSN_SUITE_ARG(s) \
-@@ -3143,7 +3144,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
+@@ -3213,7 +3214,7 @@ int wpa_get_mib_sta(struct wpa_state_mac
return len;
}
{
--- a/src/rsn_supp/wpa.c
+++ b/src/rsn_supp/wpa.c
-@@ -2032,6 +2032,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
+@@ -2108,6 +2108,8 @@ static u32 wpa_key_mgmt_suite(struct wpa
}
#define RSN_SUITE "%02x-%02x-%02x-%d"
#define RSN_SUITE_ARG(s) \
((s) >> 24) & 0xff, ((s) >> 16) & 0xff, ((s) >> 8) & 0xff, (s) & 0xff
-@@ -2115,6 +2117,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
+@@ -2191,6 +2193,7 @@ int wpa_sm_get_mib(struct wpa_sm *sm, ch
return (int) len;
}
--- a/wpa_supplicant/ap.c
+++ b/wpa_supplicant/ap.c
-@@ -1015,7 +1015,7 @@ int wpas_ap_wps_nfc_report_handover(stru
+@@ -1091,7 +1091,7 @@ int wpas_ap_wps_nfc_report_handover(stru
#endif /* CONFIG_WPS */
--- a/src/common/wpa_common.c
+++ b/src/common/wpa_common.c
-@@ -1228,6 +1228,31 @@ u32 wpa_akm_to_suite(int akm)
+@@ -1242,6 +1242,31 @@ u32 wpa_akm_to_suite(int akm)
}
int wpa_compare_rsn_ie(int ft_initial_assoc,
const u8 *ie1, size_t ie1len,
const u8 *ie2, size_t ie2len)
-@@ -1235,8 +1260,19 @@ int wpa_compare_rsn_ie(int ft_initial_as
+@@ -1249,8 +1274,19 @@ int wpa_compare_rsn_ie(int ft_initial_as
if (ie1 == NULL || ie2 == NULL)
return -1;
--- a/src/ap/wps_hostapd.c
+++ b/src/ap/wps_hostapd.c
-@@ -1052,11 +1052,9 @@ int hostapd_init_wps(struct hostapd_data
-
- if (conf->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP))
+@@ -352,8 +352,7 @@ static int hapd_wps_reconfig_in_memory(s
+ bss->wpa_pairwise |= WPA_CIPHER_GCMP;
+ else
+ bss->wpa_pairwise |= WPA_CIPHER_CCMP;
+- }
+- if (cred->encr_type & WPS_ENCR_TKIP)
++ } else if (cred->encr_type & WPS_ENCR_TKIP)
+ bss->wpa_pairwise |= WPA_CIPHER_TKIP;
+ bss->rsn_pairwise = bss->wpa_pairwise;
+ bss->wpa_group = wpa_select_ap_group_cipher(bss->wpa,
+@@ -1073,8 +1072,7 @@ int hostapd_init_wps(struct hostapd_data
+ if (conf->rsn_pairwise & (WPA_CIPHER_CCMP | WPA_CIPHER_GCMP)) {
wps->encr_types |= WPS_ENCR_AES;
-- if (conf->rsn_pairwise & WPA_CIPHER_TKIP)
-+ else if (conf->rsn_pairwise & WPA_CIPHER_TKIP)
+ wps->encr_types_rsn |= WPS_ENCR_AES;
+- }
+- if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
++ } else if (conf->rsn_pairwise & WPA_CIPHER_TKIP) {
wps->encr_types |= WPS_ENCR_TKIP;
-- }
--
-- if (conf->wpa & WPA_PROTO_WPA) {
-+ } else if (conf->wpa & WPA_PROTO_WPA) {
- if (conf->wpa_key_mgmt & WPA_KEY_MGMT_PSK)
- wps->auth_types |= WPS_AUTH_WPAPSK;
- if (conf->wpa_key_mgmt & WPA_KEY_MGMT_IEEE8021X)
-@@ -1064,7 +1062,7 @@ int hostapd_init_wps(struct hostapd_data
-
- if (conf->wpa_pairwise & WPA_CIPHER_CCMP)
- wps->encr_types |= WPS_ENCR_AES;
-- if (conf->wpa_pairwise & WPA_CIPHER_TKIP)
-+ else if (conf->wpa_pairwise & WPA_CIPHER_TKIP)
- wps->encr_types |= WPS_ENCR_TKIP;
- }
-
+ wps->encr_types_rsn |= WPS_ENCR_TKIP;
+ }
#ifdef CONFIG_DEBUG_FILE
static char *last_path = NULL;
#endif /* CONFIG_DEBUG_FILE */
-@@ -602,7 +576,7 @@ void wpa_msg_register_ifname_cb(wpa_msg_
+@@ -604,7 +578,7 @@ void wpa_msg_register_ifname_cb(wpa_msg_
}
{
va_list ap;
char *buf;
-@@ -640,7 +614,7 @@ void wpa_msg(void *ctx, int level, const
+@@ -642,7 +616,7 @@ void wpa_msg(void *ctx, int level, const
}
/*
* wpa_dbg() behaves like wpa_msg(), but it can be removed from build to reduce
-@@ -181,7 +222,12 @@ void wpa_hexdump_ascii_key(int level, co
+@@ -182,7 +223,12 @@ void wpa_hexdump_ascii_key(int level, co
*
* Note: New line '\n' is added to the end of the text when printing to stdout.
*/
/**
* wpa_msg_ctrl - Conditional printf for ctrl_iface monitors
-@@ -195,8 +241,13 @@ void wpa_msg(void *ctx, int level, const
+@@ -196,8 +242,13 @@ void wpa_msg(void *ctx, int level, const
* attached ctrl_iface monitors. In other words, it can be used for frequent
* events that do not need to be sent to syslog.
*/
#include "crypto/random.h"
#include "crypto/tls.h"
#include "common/version.h"
-@@ -567,7 +568,7 @@ int main(int argc, char *argv[])
+@@ -593,7 +594,7 @@ int main(int argc, char *argv[])
wpa_supplicant_event = hostapd_wpa_event;
for (;;) {
-- c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:vg:G:");
-+ c = getopt(argc, argv, "b:Bde:f:hKP:Ttu:g:G:v::");
+- c = getopt(argc, argv, "b:Bde:f:hKP:STtu:vg:G:");
++ c = getopt(argc, argv, "b:Bde:f:hKP:STtu:g:G:v::");
if (c < 0)
break;
switch (c) {
-@@ -604,6 +605,8 @@ int main(int argc, char *argv[])
+@@ -630,6 +631,8 @@ int main(int argc, char *argv[])
break;
#endif /* CONFIG_DEBUG_LINUX_TRACING */
case 'v':
#include "common.h"
+#include "build_features.h"
+ #include "fst/fst.h"
#include "wpa_supplicant_i.h"
#include "driver_i.h"
- #include "p2p_supplicant.h"
-@@ -176,7 +177,7 @@ int main(int argc, char *argv[])
+@@ -177,7 +178,7 @@ int main(int argc, char *argv[])
for (;;) {
c = getopt(argc, argv,
if (c < 0)
break;
switch (c) {
-@@ -279,8 +280,12 @@ int main(int argc, char *argv[])
+@@ -280,8 +281,12 @@ int main(int argc, char *argv[])
break;
#endif /* CONFIG_DBUS */
case 'v':
--- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c
-@@ -67,7 +67,6 @@ static const char *commands_help =
+@@ -68,7 +68,6 @@ static const char *const commands_help =
#ifdef CONFIG_IEEE80211W
" sa_query <addr> send SA Query to a station\n"
#endif /* CONFIG_IEEE80211W */
" wps_pin <uuid> <pin> [timeout] [addr] add WPS Enrollee PIN\n"
" wps_check_pin <PIN> verify PIN checksum\n"
" wps_pbc indicate button pushed to initiate PBC\n"
-@@ -80,7 +79,6 @@ static const char *commands_help =
+@@ -81,7 +80,6 @@ static const char *const commands_help =
" wps_ap_pin <cmd> [params..] enable/disable AP PIN\n"
" wps_config <SSID> <auth> <encr> <key> configure AP\n"
" wps_get_status show current WPS status\n"
" get_config show current configuration\n"
" help show this usage help\n"
" interface [ifname] show interfaces/select interface\n"
-@@ -353,7 +351,6 @@ static int hostapd_cli_cmd_sa_query(stru
+@@ -364,7 +362,6 @@ static int hostapd_cli_cmd_sa_query(stru
#endif /* CONFIG_IEEE80211W */
static int hostapd_cli_cmd_wps_pin(struct wpa_ctrl *ctrl, int argc,
char *argv[])
{
-@@ -579,7 +576,6 @@ static int hostapd_cli_cmd_wps_config(st
+@@ -590,7 +587,6 @@ static int hostapd_cli_cmd_wps_config(st
ssid_hex, argv[1]);
return wpa_ctrl_command(ctrl, buf);
}
static int hostapd_cli_cmd_disassoc_imminent(struct wpa_ctrl *ctrl, int argc,
-@@ -1027,7 +1023,6 @@ static struct hostapd_cli_cmd hostapd_cl
+@@ -1086,7 +1082,6 @@ static const struct hostapd_cli_cmd host
#ifdef CONFIG_IEEE80211W
{ "sa_query", hostapd_cli_cmd_sa_query },
#endif /* CONFIG_IEEE80211W */
{ "wps_pin", hostapd_cli_cmd_wps_pin },
{ "wps_check_pin", hostapd_cli_cmd_wps_check_pin },
{ "wps_pbc", hostapd_cli_cmd_wps_pbc },
-@@ -1041,7 +1036,6 @@ static struct hostapd_cli_cmd hostapd_cl
+@@ -1100,7 +1095,6 @@ static const struct hostapd_cli_cmd host
{ "wps_ap_pin", hostapd_cli_cmd_wps_ap_pin },
{ "wps_config", hostapd_cli_cmd_wps_config },
{ "wps_get_status", hostapd_cli_cmd_wps_get_status },
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
-@@ -26,6 +26,10 @@
+@@ -25,6 +25,9 @@
+ #include <cutils/properties.h>
#endif /* ANDROID */
-
+#ifndef CONFIG_P2P
+#define CONFIG_P2P
+#endif
-+
- static const char *wpa_cli_version =
+
+ static const char *const wpa_cli_version =
"wpa_cli v" VERSION_STR "\n"
- "Copyright (c) 2004-2015, Jouni Malinen <j@w1.fi> and contributors";
+++ /dev/null
---- a/src/ap/beacon.c
-+++ b/src/ap/beacon.c
-@@ -664,6 +664,10 @@ void handle_probe_req(struct hostapd_dat
- return;
- }
-
-+ if (!sta && hapd->num_sta >= hapd->conf->max_num_sta)
-+ wpa_printf(MSG_MSGDUMP, "Probe Request from " MACSTR " ignored,"
-+ " too many connected stations.", MAC2STR(mgmt->sa));
-+
- #ifdef CONFIG_INTERWORKING
- if (hapd->conf->interworking &&
- elems.interworking && elems.interworking_len >= 1) {
--- a/hostapd/main.c
+++ b/hostapd/main.c
-@@ -36,6 +36,8 @@ struct hapd_global {
+@@ -37,6 +37,8 @@ struct hapd_global {
};
static struct hapd_global global;
#ifndef CONFIG_NO_HOSTAPD_LOGGER
-@@ -142,6 +144,14 @@ static void hostapd_logger_cb(void *ctx,
+@@ -143,6 +145,14 @@ static void hostapd_logger_cb(void *ctx,
}
#endif /* CONFIG_NO_HOSTAPD_LOGGER */
/**
* hostapd_driver_init - Preparate driver interface
-@@ -160,6 +170,8 @@ static int hostapd_driver_init(struct ho
+@@ -161,6 +171,8 @@ static int hostapd_driver_init(struct ho
return -1;
}
/* Initialize the driver interface */
if (!(b[0] | b[1] | b[2] | b[3] | b[4] | b[5]))
b = NULL;
-@@ -381,8 +393,6 @@ static void hostapd_global_deinit(const
+@@ -382,8 +394,6 @@ static void hostapd_global_deinit(const
#endif /* CONFIG_NATIVE_WINDOWS */
eap_server_unregister_methods();
}
-@@ -408,11 +418,6 @@ static int hostapd_global_run(struct hap
+@@ -409,11 +419,6 @@ static int hostapd_global_run(struct hap
}
#endif /* EAP_SERVER_TNC */
eloop_run();
return 0;
-@@ -542,8 +547,7 @@ int main(int argc, char *argv[])
+@@ -566,8 +571,7 @@ int main(int argc, char *argv[])
struct hapd_interfaces interfaces;
int ret = 1;
size_t i, j;
+#include "drivers/nl80211_copy.h"
#include "common/defs.h"
+ #include "common/ieee802_11_defs.h"
#include "utils/list.h"
-
-@@ -538,6 +539,9 @@ struct wpa_driver_associate_params {
+@@ -570,6 +571,9 @@ struct wpa_driver_associate_params {
* responsible for selecting with which BSS to associate. */
const u8 *bssid;
*
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
-@@ -15,6 +15,7 @@
- #include "rsn_supp/wpa.h"
+@@ -16,6 +16,7 @@
#include "eap_peer/eap.h"
#include "p2p/p2p.h"
+ #include "fst/fst.h"
+#include "drivers/nl80211_copy.h"
#include "config.h"
-@@ -1722,6 +1723,97 @@ static char * wpa_config_write_mesh_basi
+@@ -1742,6 +1743,97 @@ static char * wpa_config_write_mesh_basi
#endif /* CONFIG_MESH */
/* Helper macros for network block parser */
#ifdef OFFSET
-@@ -1947,6 +2039,9 @@ static const struct parse_data ssid_fiel
+@@ -1973,6 +2065,9 @@ static const struct parse_data ssid_fiel
{ INT(ap_max_inactivity) },
{ INT(dtim_period) },
{ INT(beacon_int) },
#include "eap_peer/eap_config.h"
+#include "drivers/nl80211_copy.h"
- #define MAX_SSID_LEN 32
-@@ -675,6 +676,9 @@ struct wpa_ssid {
+ #define DEFAULT_EAP_WORKAROUND ((unsigned int) -1)
+@@ -698,6 +699,9 @@ struct wpa_ssid {
*/
void *parent_cred;
* macsec_policy - Determines the policy for MACsec secure session
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
-@@ -2266,6 +2266,13 @@ static void wpas_start_assoc_cb(struct w
+@@ -2421,6 +2421,13 @@ static void wpas_start_assoc_cb(struct w
params.beacon_int = ssid->beacon_int;
else
params.beacon_int = wpa_s->conf->beacon_int;
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
-@@ -4398,7 +4398,7 @@ static int wpa_driver_nl80211_ibss(struc
+@@ -4491,7 +4491,7 @@ static int wpa_driver_nl80211_ibss(struc
struct wpa_driver_associate_params *params)
{
struct nl_msg *msg;
int count = 0;
wpa_printf(MSG_DEBUG, "nl80211: Join IBSS (ifindex=%d)", drv->ifindex);
-@@ -4425,6 +4425,37 @@ retry:
+@@ -4518,6 +4518,37 @@ retry:
nl80211_put_beacon_int(msg, params->beacon_int))
goto fail;
--- a/src/drivers/driver.h
+++ b/src/drivers/driver.h
-@@ -541,6 +541,8 @@ struct wpa_driver_associate_params {
+@@ -573,6 +573,8 @@ struct wpa_driver_associate_params {
unsigned char rates[NL80211_MAX_SUPP_RATES];
int mcast_rate;
* bssid_hint - BSSID of a proposed AP
--- a/src/drivers/driver_nl80211.c
+++ b/src/drivers/driver_nl80211.c
-@@ -4456,6 +4456,22 @@ retry:
+@@ -4549,6 +4549,22 @@ retry:
nla_put_u32(msg, NL80211_ATTR_MCAST_RATE, params->mcast_rate);
}
goto fail;
--- a/wpa_supplicant/config.c
+++ b/wpa_supplicant/config.c
-@@ -1754,6 +1754,71 @@ static char * wpa_config_write_mcast_rat
+@@ -1774,6 +1774,71 @@ static char * wpa_config_write_mcast_rat
}
#endif /* NO_CONFIG_WRITE */
static int wpa_config_parse_rates(const struct parse_data *data,
struct wpa_ssid *ssid, int line,
const char *value)
-@@ -2042,6 +2107,7 @@ static const struct parse_data ssid_fiel
+@@ -2068,6 +2133,7 @@ static const struct parse_data ssid_fiel
{ INT_RANGE(fixed_freq, 0, 1) },
{ FUNC(rates) },
{ FUNC(mcast_rate) },
#endif /* CONFIG_MACSEC */
--- a/wpa_supplicant/config_ssid.h
+++ b/wpa_supplicant/config_ssid.h
-@@ -678,6 +678,8 @@ struct wpa_ssid {
+@@ -701,6 +701,8 @@ struct wpa_ssid {
unsigned char rates[NL80211_MAX_SUPP_RATES];
double mcast_rate;
/**
--- a/wpa_supplicant/wpa_supplicant.c
+++ b/wpa_supplicant/wpa_supplicant.c
-@@ -2273,6 +2273,8 @@ static void wpas_start_assoc_cb(struct w
+@@ -2428,6 +2428,8 @@ static void wpas_start_assoc_cb(struct w
i++;
}
params.mcast_rate = ssid->mcast_rate;
+++ /dev/null
---- a/src/ap/sta_info.h
-+++ b/src/ap/sta_info.h
-@@ -179,7 +179,7 @@ struct sta_info {
- * AP_DISASSOC_DELAY seconds. Similarly, the station will be deauthenticated
- * after AP_DEAUTH_DELAY seconds has passed after disassociation. */
- #define AP_MAX_INACTIVITY (5 * 60)
--#define AP_DISASSOC_DELAY (1)
-+#define AP_DISASSOC_DELAY (3)
- #define AP_DEAUTH_DELAY (1)
- /* Number of seconds to keep STA entry with Authenticated flag after it has
- * been disassociated. */
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
-@@ -121,6 +121,11 @@ OBJS += ../src/common/hw_features_common
+@@ -155,6 +155,11 @@ OBJS += ../src/common/hw_features_common
OBJS += ../src/eapol_auth/eapol_auth_sm.o
struct wpa_ctrl_dst;
struct radius_server_data;
-@@ -103,6 +104,7 @@ struct hostapd_data {
+@@ -107,6 +108,7 @@ struct hostapd_data {
struct hostapd_iface *iface;
struct hostapd_config *iconf;
struct hostapd_bss_config *conf;
int interface_added; /* virtual interface added for this BSS */
unsigned int started:1;
unsigned int disabled:1;
-@@ -286,6 +288,8 @@ struct hostapd_iface {
+@@ -299,6 +301,8 @@ struct hostapd_iface {
struct hostapd_config *conf;
char phy[16]; /* Name of the PHY (radio) */
HAPD_IFACE_DISABLED,
--- /dev/null
+++ b/src/ap/ubus.c
-@@ -0,0 +1,511 @@
+@@ -0,0 +1,536 @@
+/*
+ * hostapd / ubus support
+ * Copyright (c) 2013, Felix Fietkau <nbd@openwrt.org>
+#include "wps_hostapd.h"
+#include "sta_info.h"
+#include "ubus.h"
++#include "ap_drv_ops.h"
++#include "beacon.h"
+
+static struct ubus_context *ctx;
+static struct blob_buf b;
+{
+ struct blob_attr *tb[__VENDOR_ELEMENTS_MAX];
+ struct hostapd_data *hapd = get_hapd_from_object(obj);
++ struct hostapd_bss_config *bss = hapd->conf;
++ struct wpabuf *elems;
++ const char *pos;
++ size_t len;
+
+ blobmsg_parse(ve_policy, __VENDOR_ELEMENTS_MAX, tb,
+ blob_data(msg), blob_len(msg));
+ if (!tb[VENDOR_ELEMENTS])
+ return UBUS_STATUS_INVALID_ARGUMENT;
+
-+ const char *vendor_elements = blobmsg_data(tb[VENDOR_ELEMENTS]);
-+ if (hostapd_set_iface(hapd->iconf, hapd->conf, "vendor_elements",
-+ vendor_elements) != 0)
-+ return UBUS_STATUS_NOT_SUPPORTED;
++ pos = blobmsg_data(tb[VENDOR_ELEMENTS]);
++ len = os_strlen(pos);
++ if (len & 0x01)
++ return UBUS_STATUS_INVALID_ARGUMENT;
++
++ len /= 2;
++ if (len == 0) {
++ wpabuf_free(bss->vendor_elements);
++ bss->vendor_elements = NULL;
++ return 0;
++ }
++
++ elems = wpabuf_alloc(len);
++ if (elems == NULL)
++ return 1;
++
++ if (hexstr2bin(pos, wpabuf_put(elems, len), len)) {
++ wpabuf_free(elems);
++ return UBUS_STATUS_INVALID_ARGUMENT;
++ }
++
++ wpabuf_free(bss->vendor_elements);
++ bss->vendor_elements = elems;
+
+ /* update beacons if vendor elements were set successfully */
+ if (ieee802_11_update_beacons(hapd->iface) != 0)
+#endif
--- a/src/ap/hostapd.c
+++ b/src/ap/hostapd.c
-@@ -277,6 +277,7 @@ static void hostapd_free_hapd_data(struc
+@@ -280,6 +280,7 @@ static void hostapd_free_hapd_data(struc
hapd->started = 0;
wpa_printf(MSG_DEBUG, "%s(%s)", __func__, hapd->conf->iface);
iapp_deinit(hapd->iapp);
hapd->iapp = NULL;
accounting_deinit(hapd);
-@@ -1098,6 +1099,8 @@ static int hostapd_setup_bss(struct host
+@@ -1118,6 +1119,8 @@ static int hostapd_setup_bss(struct host
if (hapd->driver && hapd->driver->set_operstate)
hapd->driver->set_operstate(hapd->drv_priv, 1);
return 0;
}
-@@ -1384,6 +1387,7 @@ int hostapd_setup_interface_complete(str
+@@ -1523,6 +1526,7 @@ static int hostapd_setup_interface_compl
if (err)
goto fail;
wpa_printf(MSG_DEBUG, "Completing interface initialization");
if (iface->conf->channel) {
#ifdef NEED_AP_MLME
-@@ -1544,6 +1548,7 @@ dfs_offload:
+@@ -1700,6 +1704,7 @@ dfs_offload:
fail:
wpa_printf(MSG_ERROR, "Interface initialization failed");
+ hostapd_ubus_free_iface(iface);
hostapd_set_state(iface, HAPD_IFACE_DISABLED);
wpa_msg(hapd->msg_ctx, MSG_INFO, AP_EVENT_DISABLED);
- if (iface->interfaces && iface->interfaces->terminate_on_error)
-@@ -1873,6 +1878,7 @@ void hostapd_interface_deinit_free(struc
+ #ifdef CONFIG_FST
+@@ -2125,6 +2130,7 @@ void hostapd_interface_deinit_free(struc
(unsigned int) iface->conf->num_bss);
driver = iface->bss[0]->driver;
drv_priv = iface->bss[0]->drv_priv;
__func__, driver, drv_priv);
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
-@@ -881,7 +881,8 @@ int auth_sae_init_committed(struct hosta
+@@ -877,7 +877,8 @@ int auth_sae_init_committed(struct hosta
static void handle_auth(struct hostapd_data *hapd,
{
u16 auth_alg, auth_transaction, status_code;
u16 resp = WLAN_STATUS_SUCCESS;
-@@ -897,6 +898,11 @@ static void handle_auth(struct hostapd_d
+@@ -893,6 +894,11 @@ static void handle_auth(struct hostapd_d
char *identity = NULL;
char *radius_cui = NULL;
u16 seq_ctrl;
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.auth)) {
wpa_printf(MSG_INFO, "handle_auth - too short payload (len=%lu)",
-@@ -983,6 +989,14 @@ static void handle_auth(struct hostapd_d
+@@ -1044,6 +1050,14 @@ static void handle_auth(struct hostapd_d
resp = WLAN_STATUS_UNSPECIFIED_FAILURE;
goto fail;
}
if (res == HOSTAPD_ACL_PENDING) {
wpa_printf(MSG_DEBUG, "Authentication frame from " MACSTR
" waiting for an external authentication",
-@@ -1694,13 +1708,18 @@ static void send_assoc_resp(struct hosta
+@@ -1776,13 +1790,18 @@ static void send_assoc_resp(struct hosta
static void handle_assoc(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len,
if (len < IEEE80211_HDRLEN + (reassoc ? sizeof(mgmt->u.reassoc_req) :
sizeof(mgmt->u.assoc_req))) {
-@@ -1820,6 +1839,13 @@ static void handle_assoc(struct hostapd_
+@@ -1902,6 +1921,13 @@ static void handle_assoc(struct hostapd_
goto fail;
}
sta->capability = capab_info;
sta->listen_interval = listen_interval;
-@@ -2236,7 +2262,7 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -2328,7 +2354,7 @@ int ieee802_11_mgmt(struct hostapd_data
if (stype == WLAN_FC_STYPE_PROBE_REQ) {
return 1;
}
-@@ -2251,17 +2277,17 @@ int ieee802_11_mgmt(struct hostapd_data
+@@ -2346,17 +2372,17 @@ int ieee802_11_mgmt(struct hostapd_data
switch (stype) {
case WLAN_FC_STYPE_AUTH:
wpa_printf(MSG_DEBUG, "mgmt::auth");
case WLAN_FC_STYPE_DISASSOC:
--- a/src/ap/beacon.c
+++ b/src/ap/beacon.c
-@@ -542,7 +542,7 @@ static enum ssid_match_result ssid_match
+@@ -667,7 +667,7 @@ sta_track_seen_on(struct hostapd_iface *
void handle_probe_req(struct hostapd_data *hapd,
const struct ieee80211_mgmt *mgmt, size_t len,
{
u8 *resp;
struct ieee802_11_elems elems;
-@@ -550,8 +550,14 @@ void handle_probe_req(struct hostapd_dat
- size_t ie_len;
- struct sta_info *sta = NULL;
+@@ -676,9 +676,15 @@ void handle_probe_req(struct hostapd_dat
size_t i, resp_len;
-+ int ssi_signal = fi->ssi_signal;
int noack;
enum ssid_match_result res;
++ int ssi_signal = fi->ssi_signal;
+ int ret;
+ u16 csa_offs[2];
+ size_t csa_offs_len;
+ struct hostapd_ubus_request req = {
+ .type = HOSTAPD_UBUS_PROBE_REQ,
+ .mgmt_frame = mgmt,
ie = mgmt->u.probe_req.variable;
if (len < IEEE80211_HDRLEN + sizeof(mgmt->u.probe_req))
-@@ -710,6 +716,12 @@ void handle_probe_req(struct hostapd_dat
+@@ -830,6 +836,12 @@ void handle_probe_req(struct hostapd_dat
}
#endif /* CONFIG_P2P */
int ieee802_11_update_beacons(struct hostapd_iface *iface);
--- a/src/ap/drv_callbacks.c
+++ b/src/ap/drv_callbacks.c
-@@ -49,6 +49,10 @@ int hostapd_notif_assoc(struct hostapd_d
+@@ -51,6 +51,10 @@ int hostapd_notif_assoc(struct hostapd_d
u16 reason = WLAN_REASON_UNSPECIFIED;
u16 status = WLAN_STATUS_SUCCESS;
const u8 *p2p_dev_addr = NULL;
if (addr == NULL) {
/*
-@@ -113,6 +117,12 @@ int hostapd_notif_assoc(struct hostapd_d
+@@ -123,6 +127,12 @@ int hostapd_notif_assoc(struct hostapd_d
+ goto fail;
}
- sta->flags &= ~(WLAN_STA_WPS | WLAN_STA_MAYBE_WPS | WLAN_STA_WPS2);
+ if (hostapd_ubus_handle_event(hapd, &req)) {
+ wpa_printf(MSG_DEBUG, "Station " MACSTR " assoc rejected by ubus handler.\n",
projects / 15.05 / openwrt.git / commitdiff