xref: /freebsd/contrib/wpa/wpa_supplicant/ctrl_iface_unix.c (revision 1f4bcc459a76b7aa664f3fd557684cd0ba6da352)
1 /*
2  * WPA Supplicant / UNIX domain socket -based control interface
3  * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  */
8 
9 #include "includes.h"
10 #include <sys/un.h>
11 #include <sys/stat.h>
12 #include <grp.h>
13 #include <stddef.h>
14 #include <unistd.h>
15 #include <fcntl.h>
16 #ifdef __linux__
17 #include <sys/ioctl.h>
18 #include <linux/sockios.h>
19 #endif /* __linux__ */
20 #ifdef ANDROID
21 #include <cutils/sockets.h>
22 #endif /* ANDROID */
23 
24 #include "utils/common.h"
25 #include "utils/eloop.h"
26 #include "utils/list.h"
27 #include "eapol_supp/eapol_supp_sm.h"
28 #include "config.h"
29 #include "wpa_supplicant_i.h"
30 #include "ctrl_iface.h"
31 
32 /* Per-interface ctrl_iface */
33 
34 /**
35  * struct wpa_ctrl_dst - Internal data structure of control interface monitors
36  *
37  * This structure is used to store information about registered control
38  * interface monitors into struct wpa_supplicant. This data is private to
39  * ctrl_iface_unix.c and should not be touched directly from other files.
40  */
41 struct wpa_ctrl_dst {
42 	struct dl_list list;
43 	struct sockaddr_un addr;
44 	socklen_t addrlen;
45 	int debug_level;
46 	int errors;
47 };
48 
49 
50 struct ctrl_iface_priv {
51 	struct wpa_supplicant *wpa_s;
52 	int sock;
53 	struct dl_list ctrl_dst;
54 	int android_control_socket;
55 };
56 
57 
58 struct ctrl_iface_global_priv {
59 	struct wpa_global *global;
60 	int sock;
61 	struct dl_list ctrl_dst;
62 	int android_control_socket;
63 };
64 
65 
66 static void wpa_supplicant_ctrl_iface_send(struct wpa_supplicant *wpa_s,
67 					   const char *ifname, int sock,
68 					   struct dl_list *ctrl_dst,
69 					   int level, const char *buf,
70 					   size_t len,
71 					   struct ctrl_iface_priv *priv,
72 					   struct ctrl_iface_global_priv *gp);
73 static int wpas_ctrl_iface_reinit(struct wpa_supplicant *wpa_s,
74 				  struct ctrl_iface_priv *priv);
75 static int wpas_ctrl_iface_global_reinit(struct wpa_global *global,
76 					 struct ctrl_iface_global_priv *priv);
77 
78 
79 static void wpas_ctrl_sock_debug(const char *title, int sock, const char *buf,
80 				 size_t len)
81 {
82 #ifdef __linux__
83 	socklen_t optlen;
84 	int sndbuf, outq;
85 	int level = MSG_MSGDUMP;
86 
87 	if (len >= 5 && os_strncmp(buf, "PONG\n", 5) == 0)
88 		level = MSG_EXCESSIVE;
89 
90 	optlen = sizeof(sndbuf);
91 	sndbuf = 0;
92 	if (getsockopt(sock, SOL_SOCKET, SO_SNDBUF, &sndbuf, &optlen) < 0)
93 		sndbuf = -1;
94 
95 	if (ioctl(sock, SIOCOUTQ, &outq) < 0)
96 		outq = -1;
97 
98 	wpa_printf(level,
99 		   "CTRL-DEBUG: %s: sock=%d sndbuf=%d outq=%d send_len=%d",
100 		   title, sock, sndbuf, outq, (int) len);
101 #endif /* __linux__ */
102 }
103 
104 
105 static int wpa_supplicant_ctrl_iface_attach(struct dl_list *ctrl_dst,
106 					    struct sockaddr_un *from,
107 					    socklen_t fromlen, int global)
108 {
109 	struct wpa_ctrl_dst *dst;
110 	char addr_txt[200];
111 
112 	dst = os_zalloc(sizeof(*dst));
113 	if (dst == NULL)
114 		return -1;
115 	os_memcpy(&dst->addr, from, sizeof(struct sockaddr_un));
116 	dst->addrlen = fromlen;
117 	dst->debug_level = MSG_INFO;
118 	dl_list_add(ctrl_dst, &dst->list);
119 	printf_encode(addr_txt, sizeof(addr_txt),
120 		      (u8 *) from->sun_path,
121 		      fromlen - offsetof(struct sockaddr_un, sun_path));
122 	wpa_printf(MSG_DEBUG, "CTRL_IFACE %smonitor attached %s",
123 		   global ? "global " : "", addr_txt);
124 	return 0;
125 }
126 
127 
128 static int wpa_supplicant_ctrl_iface_detach(struct dl_list *ctrl_dst,
129 					    struct sockaddr_un *from,
130 					    socklen_t fromlen)
131 {
132 	struct wpa_ctrl_dst *dst;
133 
134 	dl_list_for_each(dst, ctrl_dst, struct wpa_ctrl_dst, list) {
135 		if (fromlen == dst->addrlen &&
136 		    os_memcmp(from->sun_path, dst->addr.sun_path,
137 			      fromlen - offsetof(struct sockaddr_un, sun_path))
138 		    == 0) {
139 			char addr_txt[200];
140 			printf_encode(addr_txt, sizeof(addr_txt),
141 				      (u8 *) from->sun_path,
142 				      fromlen -
143 				      offsetof(struct sockaddr_un, sun_path));
144 			wpa_printf(MSG_DEBUG, "CTRL_IFACE monitor detached %s",
145 				   addr_txt);
146 			dl_list_del(&dst->list);
147 			os_free(dst);
148 			return 0;
149 		}
150 	}
151 	return -1;
152 }
153 
154 
155 static int wpa_supplicant_ctrl_iface_level(struct ctrl_iface_priv *priv,
156 					   struct sockaddr_un *from,
157 					   socklen_t fromlen,
158 					   char *level)
159 {
160 	struct wpa_ctrl_dst *dst;
161 
162 	wpa_printf(MSG_DEBUG, "CTRL_IFACE LEVEL %s", level);
163 
164 	dl_list_for_each(dst, &priv->ctrl_dst, struct wpa_ctrl_dst, list) {
165 		if (fromlen == dst->addrlen &&
166 		    os_memcmp(from->sun_path, dst->addr.sun_path,
167 			      fromlen - offsetof(struct sockaddr_un, sun_path))
168 		    == 0) {
169 			char addr_txt[200];
170 			dst->debug_level = atoi(level);
171 			printf_encode(addr_txt, sizeof(addr_txt),
172 				      (u8 *) from->sun_path, fromlen -
173 				      offsetof(struct sockaddr_un, sun_path));
174 			wpa_printf(MSG_DEBUG, "CTRL_IFACE changed monitor level to %d for %s",
175 				   dst->debug_level, addr_txt);
176 			return 0;
177 		}
178 	}
179 
180 	return -1;
181 }
182 
183 
184 static void wpa_supplicant_ctrl_iface_receive(int sock, void *eloop_ctx,
185 					      void *sock_ctx)
186 {
187 	struct wpa_supplicant *wpa_s = eloop_ctx;
188 	struct ctrl_iface_priv *priv = sock_ctx;
189 	char buf[4096];
190 	int res;
191 	struct sockaddr_un from;
192 	socklen_t fromlen = sizeof(from);
193 	char *reply = NULL, *reply_buf = NULL;
194 	size_t reply_len = 0;
195 	int new_attached = 0;
196 
197 	res = recvfrom(sock, buf, sizeof(buf) - 1, 0,
198 		       (struct sockaddr *) &from, &fromlen);
199 	if (res < 0) {
200 		wpa_printf(MSG_ERROR, "recvfrom(ctrl_iface): %s",
201 			   strerror(errno));
202 		return;
203 	}
204 	buf[res] = '\0';
205 
206 	if (os_strcmp(buf, "ATTACH") == 0) {
207 		if (wpa_supplicant_ctrl_iface_attach(&priv->ctrl_dst, &from,
208 						     fromlen, 0))
209 			reply_len = 1;
210 		else {
211 			new_attached = 1;
212 			reply_len = 2;
213 		}
214 	} else if (os_strcmp(buf, "DETACH") == 0) {
215 		if (wpa_supplicant_ctrl_iface_detach(&priv->ctrl_dst, &from,
216 						     fromlen))
217 			reply_len = 1;
218 		else
219 			reply_len = 2;
220 	} else if (os_strncmp(buf, "LEVEL ", 6) == 0) {
221 		if (wpa_supplicant_ctrl_iface_level(priv, &from, fromlen,
222 						    buf + 6))
223 			reply_len = 1;
224 		else
225 			reply_len = 2;
226 	} else {
227 		reply_buf = wpa_supplicant_ctrl_iface_process(wpa_s, buf,
228 							      &reply_len);
229 		reply = reply_buf;
230 
231 		/*
232 		 * There could be some password/key material in the command, so
233 		 * clear the buffer explicitly now that it is not needed
234 		 * anymore.
235 		 */
236 		os_memset(buf, 0, res);
237 	}
238 
239 	if (!reply && reply_len == 1) {
240 		reply = "FAIL\n";
241 		reply_len = 5;
242 	} else if (!reply && reply_len == 2) {
243 		reply = "OK\n";
244 		reply_len = 3;
245 	}
246 
247 	if (reply) {
248 		wpas_ctrl_sock_debug("ctrl_sock-sendto", sock, reply,
249 				     reply_len);
250 		if (sendto(sock, reply, reply_len, 0, (struct sockaddr *) &from,
251 			   fromlen) < 0) {
252 			int _errno = errno;
253 			wpa_dbg(wpa_s, MSG_DEBUG,
254 				"ctrl_iface sendto failed: %d - %s",
255 				_errno, strerror(_errno));
256 			if (_errno == ENOBUFS || _errno == EAGAIN) {
257 				/*
258 				 * The socket send buffer could be full. This
259 				 * may happen if client programs are not
260 				 * receiving their pending messages. Close and
261 				 * reopen the socket as a workaround to avoid
262 				 * getting stuck being unable to send any new
263 				 * responses.
264 				 */
265 				sock = wpas_ctrl_iface_reinit(wpa_s, priv);
266 				if (sock < 0) {
267 					wpa_dbg(wpa_s, MSG_DEBUG, "Failed to reinitialize ctrl_iface socket");
268 				}
269 			}
270 			if (new_attached) {
271 				wpa_dbg(wpa_s, MSG_DEBUG, "Failed to send response to ATTACH - detaching");
272 				new_attached = 0;
273 				wpa_supplicant_ctrl_iface_detach(
274 					&priv->ctrl_dst, &from, fromlen);
275 			}
276 		}
277 	}
278 	os_free(reply_buf);
279 
280 	if (new_attached)
281 		eapol_sm_notify_ctrl_attached(wpa_s->eapol);
282 }
283 
284 
285 static char * wpa_supplicant_ctrl_iface_path(struct wpa_supplicant *wpa_s)
286 {
287 	char *buf;
288 	size_t len;
289 	char *pbuf, *dir = NULL;
290 	int res;
291 
292 	if (wpa_s->conf->ctrl_interface == NULL)
293 		return NULL;
294 
295 	pbuf = os_strdup(wpa_s->conf->ctrl_interface);
296 	if (pbuf == NULL)
297 		return NULL;
298 	if (os_strncmp(pbuf, "DIR=", 4) == 0) {
299 		char *gid_str;
300 		dir = pbuf + 4;
301 		gid_str = os_strstr(dir, " GROUP=");
302 		if (gid_str)
303 			*gid_str = '\0';
304 	} else
305 		dir = pbuf;
306 
307 	len = os_strlen(dir) + os_strlen(wpa_s->ifname) + 2;
308 	buf = os_malloc(len);
309 	if (buf == NULL) {
310 		os_free(pbuf);
311 		return NULL;
312 	}
313 
314 	res = os_snprintf(buf, len, "%s/%s", dir, wpa_s->ifname);
315 	if (os_snprintf_error(len, res)) {
316 		os_free(pbuf);
317 		os_free(buf);
318 		return NULL;
319 	}
320 #ifdef __CYGWIN__
321 	{
322 		/* Windows/WinPcap uses interface names that are not suitable
323 		 * as a file name - convert invalid chars to underscores */
324 		char *pos = buf;
325 		while (*pos) {
326 			if (*pos == '\\')
327 				*pos = '_';
328 			pos++;
329 		}
330 	}
331 #endif /* __CYGWIN__ */
332 	os_free(pbuf);
333 	return buf;
334 }
335 
336 
337 static void wpa_supplicant_ctrl_iface_msg_cb(void *ctx, int level,
338 					     enum wpa_msg_type type,
339 					     const char *txt, size_t len)
340 {
341 	struct wpa_supplicant *wpa_s = ctx;
342 
343 	if (wpa_s == NULL)
344 		return;
345 
346 	if (type != WPA_MSG_NO_GLOBAL && wpa_s->global->ctrl_iface) {
347 		struct ctrl_iface_global_priv *priv = wpa_s->global->ctrl_iface;
348 		if (!dl_list_empty(&priv->ctrl_dst)) {
349 			wpa_supplicant_ctrl_iface_send(
350 				wpa_s,
351 				type != WPA_MSG_PER_INTERFACE ?
352 				NULL : wpa_s->ifname,
353 				priv->sock, &priv->ctrl_dst, level, txt, len,
354 				NULL, priv);
355 		}
356 	}
357 
358 	if (type == WPA_MSG_ONLY_GLOBAL || wpa_s->ctrl_iface == NULL)
359 		return;
360 	wpa_supplicant_ctrl_iface_send(wpa_s, NULL, wpa_s->ctrl_iface->sock,
361 				       &wpa_s->ctrl_iface->ctrl_dst,
362 				       level, txt, len, wpa_s->ctrl_iface,
363 				       NULL);
364 }
365 
366 
367 static int wpas_ctrl_iface_open_sock(struct wpa_supplicant *wpa_s,
368 				     struct ctrl_iface_priv *priv)
369 {
370 	struct sockaddr_un addr;
371 	char *fname = NULL;
372 	gid_t gid = 0;
373 	int gid_set = 0;
374 	char *buf, *dir = NULL, *gid_str = NULL;
375 	struct group *grp;
376 	char *endp;
377 	int flags;
378 
379 	buf = os_strdup(wpa_s->conf->ctrl_interface);
380 	if (buf == NULL)
381 		goto fail;
382 #ifdef ANDROID
383 	os_snprintf(addr.sun_path, sizeof(addr.sun_path), "wpa_%s",
384 		    wpa_s->conf->ctrl_interface);
385 	priv->sock = android_get_control_socket(addr.sun_path);
386 	if (priv->sock >= 0) {
387 		priv->android_control_socket = 1;
388 		goto havesock;
389 	}
390 #endif /* ANDROID */
391 	if (os_strncmp(buf, "DIR=", 4) == 0) {
392 		dir = buf + 4;
393 		gid_str = os_strstr(dir, " GROUP=");
394 		if (gid_str) {
395 			*gid_str = '\0';
396 			gid_str += 7;
397 		}
398 	} else {
399 		dir = buf;
400 		gid_str = wpa_s->conf->ctrl_interface_group;
401 	}
402 
403 	if (mkdir(dir, S_IRWXU | S_IRWXG) < 0) {
404 		if (errno == EEXIST) {
405 			wpa_printf(MSG_DEBUG, "Using existing control "
406 				   "interface directory.");
407 		} else {
408 			wpa_printf(MSG_ERROR, "mkdir[ctrl_interface=%s]: %s",
409 				   dir, strerror(errno));
410 			goto fail;
411 		}
412 	}
413 
414 #ifdef ANDROID
415 	/*
416 	 * wpa_supplicant is started from /init.*.rc on Android and that seems
417 	 * to be using umask 0077 which would leave the control interface
418 	 * directory without group access. This breaks things since Wi-Fi
419 	 * framework assumes that this directory can be accessed by other
420 	 * applications in the wifi group. Fix this by adding group access even
421 	 * if umask value would prevent this.
422 	 */
423 	if (chmod(dir, S_IRWXU | S_IRWXG) < 0) {
424 		wpa_printf(MSG_ERROR, "CTRL: Could not chmod directory: %s",
425 			   strerror(errno));
426 		/* Try to continue anyway */
427 	}
428 #endif /* ANDROID */
429 
430 	if (gid_str) {
431 		grp = getgrnam(gid_str);
432 		if (grp) {
433 			gid = grp->gr_gid;
434 			gid_set = 1;
435 			wpa_printf(MSG_DEBUG, "ctrl_interface_group=%d"
436 				   " (from group name '%s')",
437 				   (int) gid, gid_str);
438 		} else {
439 			/* Group name not found - try to parse this as gid */
440 			gid = strtol(gid_str, &endp, 10);
441 			if (*gid_str == '\0' || *endp != '\0') {
442 				wpa_printf(MSG_ERROR, "CTRL: Invalid group "
443 					   "'%s'", gid_str);
444 				goto fail;
445 			}
446 			gid_set = 1;
447 			wpa_printf(MSG_DEBUG, "ctrl_interface_group=%d",
448 				   (int) gid);
449 		}
450 	}
451 
452 	if (gid_set && chown(dir, -1, gid) < 0) {
453 		wpa_printf(MSG_ERROR, "chown[ctrl_interface=%s,gid=%d]: %s",
454 			   dir, (int) gid, strerror(errno));
455 		goto fail;
456 	}
457 
458 	/* Make sure the group can enter and read the directory */
459 	if (gid_set &&
460 	    chmod(dir, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP) < 0) {
461 		wpa_printf(MSG_ERROR, "CTRL: chmod[ctrl_interface]: %s",
462 			   strerror(errno));
463 		goto fail;
464 	}
465 
466 	if (os_strlen(dir) + 1 + os_strlen(wpa_s->ifname) >=
467 	    sizeof(addr.sun_path)) {
468 		wpa_printf(MSG_ERROR, "ctrl_iface path limit exceeded");
469 		goto fail;
470 	}
471 
472 	priv->sock = socket(PF_UNIX, SOCK_DGRAM, 0);
473 	if (priv->sock < 0) {
474 		wpa_printf(MSG_ERROR, "socket(PF_UNIX): %s", strerror(errno));
475 		goto fail;
476 	}
477 
478 	os_memset(&addr, 0, sizeof(addr));
479 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
480 	addr.sun_len = sizeof(addr);
481 #endif /* __FreeBSD__ */
482 	addr.sun_family = AF_UNIX;
483 	fname = wpa_supplicant_ctrl_iface_path(wpa_s);
484 	if (fname == NULL)
485 		goto fail;
486 	os_strlcpy(addr.sun_path, fname, sizeof(addr.sun_path));
487 	if (bind(priv->sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
488 		wpa_printf(MSG_DEBUG, "ctrl_iface bind(PF_UNIX) failed: %s",
489 			   strerror(errno));
490 		if (connect(priv->sock, (struct sockaddr *) &addr,
491 			    sizeof(addr)) < 0) {
492 			wpa_printf(MSG_DEBUG, "ctrl_iface exists, but does not"
493 				   " allow connections - assuming it was left"
494 				   "over from forced program termination");
495 			if (unlink(fname) < 0) {
496 				wpa_printf(MSG_ERROR,
497 					   "Could not unlink existing ctrl_iface socket '%s': %s",
498 					   fname, strerror(errno));
499 				goto fail;
500 			}
501 			if (bind(priv->sock, (struct sockaddr *) &addr,
502 				 sizeof(addr)) < 0) {
503 				wpa_printf(MSG_ERROR, "supp-ctrl-iface-init: bind(PF_UNIX): %s",
504 					   strerror(errno));
505 				goto fail;
506 			}
507 			wpa_printf(MSG_DEBUG, "Successfully replaced leftover "
508 				   "ctrl_iface socket '%s'", fname);
509 		} else {
510 			wpa_printf(MSG_INFO, "ctrl_iface exists and seems to "
511 				   "be in use - cannot override it");
512 			wpa_printf(MSG_INFO, "Delete '%s' manually if it is "
513 				   "not used anymore", fname);
514 			os_free(fname);
515 			fname = NULL;
516 			goto fail;
517 		}
518 	}
519 
520 	if (gid_set && chown(fname, -1, gid) < 0) {
521 		wpa_printf(MSG_ERROR, "chown[ctrl_interface=%s,gid=%d]: %s",
522 			   fname, (int) gid, strerror(errno));
523 		goto fail;
524 	}
525 
526 	if (chmod(fname, S_IRWXU | S_IRWXG) < 0) {
527 		wpa_printf(MSG_ERROR, "chmod[ctrl_interface=%s]: %s",
528 			   fname, strerror(errno));
529 		goto fail;
530 	}
531 	os_free(fname);
532 
533 #ifdef ANDROID
534 havesock:
535 #endif /* ANDROID */
536 
537 	/*
538 	 * Make socket non-blocking so that we don't hang forever if
539 	 * target dies unexpectedly.
540 	 */
541 	flags = fcntl(priv->sock, F_GETFL);
542 	if (flags >= 0) {
543 		flags |= O_NONBLOCK;
544 		if (fcntl(priv->sock, F_SETFL, flags) < 0) {
545 			wpa_printf(MSG_INFO, "fcntl(ctrl, O_NONBLOCK): %s",
546 				   strerror(errno));
547 			/* Not fatal, continue on.*/
548 		}
549 	}
550 
551 	eloop_register_read_sock(priv->sock, wpa_supplicant_ctrl_iface_receive,
552 				 wpa_s, priv);
553 	wpa_msg_register_cb(wpa_supplicant_ctrl_iface_msg_cb);
554 
555 	os_free(buf);
556 	return 0;
557 
558 fail:
559 	if (priv->sock >= 0) {
560 		close(priv->sock);
561 		priv->sock = -1;
562 	}
563 	if (fname) {
564 		unlink(fname);
565 		os_free(fname);
566 	}
567 	os_free(buf);
568 	return -1;
569 }
570 
571 
572 struct ctrl_iface_priv *
573 wpa_supplicant_ctrl_iface_init(struct wpa_supplicant *wpa_s)
574 {
575 	struct ctrl_iface_priv *priv;
576 
577 	priv = os_zalloc(sizeof(*priv));
578 	if (priv == NULL)
579 		return NULL;
580 	dl_list_init(&priv->ctrl_dst);
581 	priv->wpa_s = wpa_s;
582 	priv->sock = -1;
583 
584 	if (wpa_s->conf->ctrl_interface == NULL)
585 		return priv;
586 
587 #ifdef ANDROID
588 	if (wpa_s->global->params.ctrl_interface) {
589 		int same = 0;
590 
591 		if (wpa_s->global->params.ctrl_interface[0] == '/') {
592 			if (os_strcmp(wpa_s->global->params.ctrl_interface,
593 				      wpa_s->conf->ctrl_interface) == 0)
594 				same = 1;
595 		} else if (os_strncmp(wpa_s->global->params.ctrl_interface,
596 				      "@android:", 9) == 0 ||
597 			   os_strncmp(wpa_s->global->params.ctrl_interface,
598 				      "@abstract:", 10) == 0) {
599 			char *pos;
600 
601 			/*
602 			 * Currently, Android uses @android:wpa_* as the naming
603 			 * convention for the global ctrl interface. This logic
604 			 * needs to be revisited if the above naming convention
605 			 * is modified.
606 			 */
607 			pos = os_strchr(wpa_s->global->params.ctrl_interface,
608 					'_');
609 			if (pos &&
610 			    os_strcmp(pos + 1,
611 				      wpa_s->conf->ctrl_interface) == 0)
612 				same = 1;
613 		}
614 
615 		if (same) {
616 			/*
617 			 * The invalid configuration combination might be
618 			 * possible to hit in an Android OTA upgrade case, so
619 			 * instead of refusing to start the wpa_supplicant
620 			 * process, do not open the per-interface ctrl_iface
621 			 * and continue with the global control interface that
622 			 * was set from the command line since the Wi-Fi
623 			 * framework will use it for operations.
624 			 */
625 			wpa_printf(MSG_ERROR,
626 				   "global ctrl interface %s matches ctrl interface %s - do not open per-interface ctrl interface",
627 				   wpa_s->global->params.ctrl_interface,
628 				   wpa_s->conf->ctrl_interface);
629 			return priv;
630 		}
631 	}
632 #endif /* ANDROID */
633 
634 	if (wpas_ctrl_iface_open_sock(wpa_s, priv) < 0) {
635 		os_free(priv);
636 		return NULL;
637 	}
638 
639 	return priv;
640 }
641 
642 
643 static int wpas_ctrl_iface_reinit(struct wpa_supplicant *wpa_s,
644 				  struct ctrl_iface_priv *priv)
645 {
646 	int res;
647 
648 	if (priv->sock <= 0)
649 		return -1;
650 
651 	/*
652 	 * On Android, the control socket being used may be the socket
653 	 * that is created when wpa_supplicant is started as a /init.*.rc
654 	 * service. Such a socket is maintained as a key-value pair in
655 	 * Android's environment. Closing this control socket would leave us
656 	 * in a bad state with an invalid socket descriptor.
657 	 */
658 	if (priv->android_control_socket)
659 		return priv->sock;
660 
661 	eloop_unregister_read_sock(priv->sock);
662 	close(priv->sock);
663 	priv->sock = -1;
664 	res = wpas_ctrl_iface_open_sock(wpa_s, priv);
665 	if (res < 0)
666 		return -1;
667 	return priv->sock;
668 }
669 
670 
671 void wpa_supplicant_ctrl_iface_deinit(struct ctrl_iface_priv *priv)
672 {
673 	struct wpa_ctrl_dst *dst, *prev;
674 
675 	if (priv->sock > -1) {
676 		char *fname;
677 		char *buf, *dir = NULL;
678 		eloop_unregister_read_sock(priv->sock);
679 		if (!dl_list_empty(&priv->ctrl_dst)) {
680 			/*
681 			 * Wait before closing the control socket if
682 			 * there are any attached monitors in order to allow
683 			 * them to receive any pending messages.
684 			 */
685 			wpa_printf(MSG_DEBUG, "CTRL_IFACE wait for attached "
686 				   "monitors to receive messages");
687 			os_sleep(0, 100000);
688 		}
689 		close(priv->sock);
690 		priv->sock = -1;
691 		fname = wpa_supplicant_ctrl_iface_path(priv->wpa_s);
692 		if (fname) {
693 			unlink(fname);
694 			os_free(fname);
695 		}
696 
697 		if (priv->wpa_s->conf->ctrl_interface == NULL)
698 			goto free_dst;
699 		buf = os_strdup(priv->wpa_s->conf->ctrl_interface);
700 		if (buf == NULL)
701 			goto free_dst;
702 		if (os_strncmp(buf, "DIR=", 4) == 0) {
703 			char *gid_str;
704 			dir = buf + 4;
705 			gid_str = os_strstr(dir, " GROUP=");
706 			if (gid_str)
707 				*gid_str = '\0';
708 		} else
709 			dir = buf;
710 
711 		if (rmdir(dir) < 0) {
712 			if (errno == ENOTEMPTY) {
713 				wpa_printf(MSG_DEBUG, "Control interface "
714 					   "directory not empty - leaving it "
715 					   "behind");
716 			} else {
717 				wpa_printf(MSG_ERROR,
718 					   "rmdir[ctrl_interface=%s]: %s",
719 					   dir, strerror(errno));
720 			}
721 		}
722 		os_free(buf);
723 	}
724 
725 free_dst:
726 	dl_list_for_each_safe(dst, prev, &priv->ctrl_dst, struct wpa_ctrl_dst,
727 			      list)
728 		os_free(dst);
729 	os_free(priv);
730 }
731 
732 
733 /**
734  * wpa_supplicant_ctrl_iface_send - Send a control interface packet to monitors
735  * @ifname: Interface name for global control socket or %NULL
736  * @sock: Local socket fd
737  * @ctrl_dst: List of attached listeners
738  * @level: Priority level of the message
739  * @buf: Message data
740  * @len: Message length
741  *
742  * Send a packet to all monitor programs attached to the control interface.
743  */
744 static void wpa_supplicant_ctrl_iface_send(struct wpa_supplicant *wpa_s,
745 					   const char *ifname, int sock,
746 					   struct dl_list *ctrl_dst,
747 					   int level, const char *buf,
748 					   size_t len,
749 					   struct ctrl_iface_priv *priv,
750 					   struct ctrl_iface_global_priv *gp)
751 {
752 	struct wpa_ctrl_dst *dst, *next;
753 	char levelstr[10];
754 	int idx, res;
755 	struct msghdr msg;
756 	struct iovec io[5];
757 
758 	if (sock < 0 || dl_list_empty(ctrl_dst))
759 		return;
760 
761 	res = os_snprintf(levelstr, sizeof(levelstr), "<%d>", level);
762 	if (os_snprintf_error(sizeof(levelstr), res))
763 		return;
764 	idx = 0;
765 	if (ifname) {
766 		io[idx].iov_base = "IFNAME=";
767 		io[idx].iov_len = 7;
768 		idx++;
769 		io[idx].iov_base = (char *) ifname;
770 		io[idx].iov_len = os_strlen(ifname);
771 		idx++;
772 		io[idx].iov_base = " ";
773 		io[idx].iov_len = 1;
774 		idx++;
775 	}
776 	io[idx].iov_base = levelstr;
777 	io[idx].iov_len = os_strlen(levelstr);
778 	idx++;
779 	io[idx].iov_base = (char *) buf;
780 	io[idx].iov_len = len;
781 	idx++;
782 	os_memset(&msg, 0, sizeof(msg));
783 	msg.msg_iov = io;
784 	msg.msg_iovlen = idx;
785 
786 	dl_list_for_each_safe(dst, next, ctrl_dst, struct wpa_ctrl_dst, list) {
787 		int _errno;
788 		char addr_txt[200];
789 
790 		if (level < dst->debug_level)
791 			continue;
792 
793 		printf_encode(addr_txt, sizeof(addr_txt),
794 			      (u8 *) dst->addr.sun_path, dst->addrlen -
795 			      offsetof(struct sockaddr_un, sun_path));
796 		msg.msg_name = (void *) &dst->addr;
797 		msg.msg_namelen = dst->addrlen;
798 		wpas_ctrl_sock_debug("ctrl_sock-sendmsg", sock, buf, len);
799 		if (sendmsg(sock, &msg, MSG_DONTWAIT) >= 0) {
800 			wpa_printf(MSG_MSGDUMP,
801 				   "CTRL_IFACE monitor sent successfully to %s",
802 				   addr_txt);
803 			dst->errors = 0;
804 			continue;
805 		}
806 
807 		_errno = errno;
808 		wpa_printf(MSG_DEBUG, "CTRL_IFACE monitor[%s]: %d - %s",
809 			   addr_txt, errno, strerror(errno));
810 		dst->errors++;
811 
812 		if (dst->errors > 10 || _errno == ENOENT || _errno == EPERM) {
813 			wpa_printf(MSG_INFO, "CTRL_IFACE: Detach monitor %s that cannot receive messages",
814 				addr_txt);
815 			wpa_supplicant_ctrl_iface_detach(ctrl_dst, &dst->addr,
816 							 dst->addrlen);
817 		}
818 
819 		if (_errno == ENOBUFS || _errno == EAGAIN) {
820 			/*
821 			 * The socket send buffer could be full. This may happen
822 			 * if client programs are not receiving their pending
823 			 * messages. Close and reopen the socket as a workaround
824 			 * to avoid getting stuck being unable to send any new
825 			 * responses.
826 			 */
827 			if (priv)
828 				sock = wpas_ctrl_iface_reinit(wpa_s, priv);
829 			else if (gp)
830 				sock = wpas_ctrl_iface_global_reinit(
831 					wpa_s->global, gp);
832 			else
833 				break;
834 			if (sock < 0) {
835 				wpa_dbg(wpa_s, MSG_DEBUG,
836 					"Failed to reinitialize ctrl_iface socket");
837 				break;
838 			}
839 		}
840 	}
841 }
842 
843 
844 void wpa_supplicant_ctrl_iface_wait(struct ctrl_iface_priv *priv)
845 {
846 	char buf[256];
847 	int res;
848 	struct sockaddr_un from;
849 	socklen_t fromlen = sizeof(from);
850 
851 	for (;;) {
852 		wpa_printf(MSG_DEBUG, "CTRL_IFACE - %s - wait for monitor to "
853 			   "attach", priv->wpa_s->ifname);
854 		eloop_wait_for_read_sock(priv->sock);
855 
856 		res = recvfrom(priv->sock, buf, sizeof(buf) - 1, 0,
857 			       (struct sockaddr *) &from, &fromlen);
858 		if (res < 0) {
859 			wpa_printf(MSG_ERROR, "recvfrom(ctrl_iface): %s",
860 				   strerror(errno));
861 			continue;
862 		}
863 		buf[res] = '\0';
864 
865 		if (os_strcmp(buf, "ATTACH") == 0) {
866 			/* handle ATTACH signal of first monitor interface */
867 			if (!wpa_supplicant_ctrl_iface_attach(&priv->ctrl_dst,
868 							      &from, fromlen,
869 							      0)) {
870 				if (sendto(priv->sock, "OK\n", 3, 0,
871 					   (struct sockaddr *) &from, fromlen) <
872 				    0) {
873 					wpa_printf(MSG_DEBUG, "ctrl_iface sendto failed: %s",
874 						   strerror(errno));
875 				}
876 				/* OK to continue */
877 				return;
878 			} else {
879 				if (sendto(priv->sock, "FAIL\n", 5, 0,
880 					   (struct sockaddr *) &from, fromlen) <
881 				    0) {
882 					wpa_printf(MSG_DEBUG, "ctrl_iface sendto failed: %s",
883 						   strerror(errno));
884 				}
885 			}
886 		} else {
887 			/* return FAIL for all other signals */
888 			if (sendto(priv->sock, "FAIL\n", 5, 0,
889 				   (struct sockaddr *) &from, fromlen) < 0) {
890 				wpa_printf(MSG_DEBUG,
891 					   "ctrl_iface sendto failed: %s",
892 					   strerror(errno));
893 			}
894 		}
895 	}
896 }
897 
898 
899 /* Global ctrl_iface */
900 
901 static void wpa_supplicant_global_ctrl_iface_receive(int sock, void *eloop_ctx,
902 						     void *sock_ctx)
903 {
904 	struct wpa_global *global = eloop_ctx;
905 	struct ctrl_iface_global_priv *priv = sock_ctx;
906 	char buf[4096];
907 	int res;
908 	struct sockaddr_un from;
909 	socklen_t fromlen = sizeof(from);
910 	char *reply = NULL, *reply_buf = NULL;
911 	size_t reply_len;
912 
913 	res = recvfrom(sock, buf, sizeof(buf) - 1, 0,
914 		       (struct sockaddr *) &from, &fromlen);
915 	if (res < 0) {
916 		wpa_printf(MSG_ERROR, "recvfrom(ctrl_iface): %s",
917 			   strerror(errno));
918 		return;
919 	}
920 	buf[res] = '\0';
921 
922 	if (os_strcmp(buf, "ATTACH") == 0) {
923 		if (wpa_supplicant_ctrl_iface_attach(&priv->ctrl_dst, &from,
924 						     fromlen, 1))
925 			reply_len = 1;
926 		else
927 			reply_len = 2;
928 	} else if (os_strcmp(buf, "DETACH") == 0) {
929 		if (wpa_supplicant_ctrl_iface_detach(&priv->ctrl_dst, &from,
930 						     fromlen))
931 			reply_len = 1;
932 		else
933 			reply_len = 2;
934 	} else {
935 		reply_buf = wpa_supplicant_global_ctrl_iface_process(
936 			global, buf, &reply_len);
937 		reply = reply_buf;
938 
939 		/*
940 		 * There could be some password/key material in the command, so
941 		 * clear the buffer explicitly now that it is not needed
942 		 * anymore.
943 		 */
944 		os_memset(buf, 0, res);
945 	}
946 
947 	if (!reply && reply_len == 1) {
948 		reply = "FAIL\n";
949 		reply_len = 5;
950 	} else if (!reply && reply_len == 2) {
951 		reply = "OK\n";
952 		reply_len = 3;
953 	}
954 
955 	if (reply) {
956 		wpas_ctrl_sock_debug("global_ctrl_sock-sendto",
957 				     sock, reply, reply_len);
958 		if (sendto(sock, reply, reply_len, 0, (struct sockaddr *) &from,
959 			   fromlen) < 0) {
960 			wpa_printf(MSG_DEBUG, "ctrl_iface sendto failed: %s",
961 				strerror(errno));
962 		}
963 	}
964 	os_free(reply_buf);
965 }
966 
967 
968 static int wpas_global_ctrl_iface_open_sock(struct wpa_global *global,
969 					    struct ctrl_iface_global_priv *priv)
970 {
971 	struct sockaddr_un addr;
972 	const char *ctrl = global->params.ctrl_interface;
973 	int flags;
974 
975 	wpa_printf(MSG_DEBUG, "Global control interface '%s'", ctrl);
976 
977 #ifdef ANDROID
978 	if (os_strncmp(ctrl, "@android:", 9) == 0) {
979 		priv->sock = android_get_control_socket(ctrl + 9);
980 		if (priv->sock < 0) {
981 			wpa_printf(MSG_ERROR, "Failed to open Android control "
982 				   "socket '%s'", ctrl + 9);
983 			goto fail;
984 		}
985 		wpa_printf(MSG_DEBUG, "Using Android control socket '%s'",
986 			   ctrl + 9);
987 		priv->android_control_socket = 1;
988 		goto havesock;
989 	}
990 
991 	if (os_strncmp(ctrl, "@abstract:", 10) != 0) {
992 		/*
993 		 * Backwards compatibility - try to open an Android control
994 		 * socket and if that fails, assume this was a UNIX domain
995 		 * socket instead.
996 		 */
997 		priv->sock = android_get_control_socket(ctrl);
998 		if (priv->sock >= 0) {
999 			wpa_printf(MSG_DEBUG,
1000 				   "Using Android control socket '%s'",
1001 				   ctrl);
1002 			priv->android_control_socket = 1;
1003 			goto havesock;
1004 		}
1005 	}
1006 #endif /* ANDROID */
1007 
1008 	priv->sock = socket(PF_UNIX, SOCK_DGRAM, 0);
1009 	if (priv->sock < 0) {
1010 		wpa_printf(MSG_ERROR, "socket(PF_UNIX): %s", strerror(errno));
1011 		goto fail;
1012 	}
1013 
1014 	os_memset(&addr, 0, sizeof(addr));
1015 #if defined(__FreeBSD__) || defined(__FreeBSD_kernel__)
1016 	addr.sun_len = sizeof(addr);
1017 #endif /* __FreeBSD__ */
1018 	addr.sun_family = AF_UNIX;
1019 
1020 	if (os_strncmp(ctrl, "@abstract:", 10) == 0) {
1021 		addr.sun_path[0] = '\0';
1022 		os_strlcpy(addr.sun_path + 1, ctrl + 10,
1023 			   sizeof(addr.sun_path) - 1);
1024 		if (bind(priv->sock, (struct sockaddr *) &addr, sizeof(addr)) <
1025 		    0) {
1026 			wpa_printf(MSG_ERROR, "supp-global-ctrl-iface-init: "
1027 				   "bind(PF_UNIX;%s) failed: %s",
1028 				   ctrl, strerror(errno));
1029 			goto fail;
1030 		}
1031 		wpa_printf(MSG_DEBUG, "Using Abstract control socket '%s'",
1032 			   ctrl + 10);
1033 		goto havesock;
1034 	}
1035 
1036 	os_strlcpy(addr.sun_path, ctrl, sizeof(addr.sun_path));
1037 	if (bind(priv->sock, (struct sockaddr *) &addr, sizeof(addr)) < 0) {
1038 		wpa_printf(MSG_INFO, "supp-global-ctrl-iface-init(%s) (will try fixup): bind(PF_UNIX): %s",
1039 			   ctrl, strerror(errno));
1040 		if (connect(priv->sock, (struct sockaddr *) &addr,
1041 			    sizeof(addr)) < 0) {
1042 			wpa_printf(MSG_DEBUG, "ctrl_iface exists, but does not"
1043 				   " allow connections - assuming it was left"
1044 				   "over from forced program termination");
1045 			if (unlink(ctrl) < 0) {
1046 				wpa_printf(MSG_ERROR,
1047 					   "Could not unlink existing ctrl_iface socket '%s': %s",
1048 					   ctrl, strerror(errno));
1049 				goto fail;
1050 			}
1051 			if (bind(priv->sock, (struct sockaddr *) &addr,
1052 				 sizeof(addr)) < 0) {
1053 				wpa_printf(MSG_ERROR, "supp-glb-iface-init: bind(PF_UNIX;%s): %s",
1054 					   ctrl, strerror(errno));
1055 				goto fail;
1056 			}
1057 			wpa_printf(MSG_DEBUG, "Successfully replaced leftover "
1058 				   "ctrl_iface socket '%s'",
1059 				   ctrl);
1060 		} else {
1061 			wpa_printf(MSG_INFO, "ctrl_iface exists and seems to "
1062 				   "be in use - cannot override it");
1063 			wpa_printf(MSG_INFO, "Delete '%s' manually if it is "
1064 				   "not used anymore",
1065 				   ctrl);
1066 			goto fail;
1067 		}
1068 	}
1069 
1070 	wpa_printf(MSG_DEBUG, "Using UNIX control socket '%s'", ctrl);
1071 
1072 	if (global->params.ctrl_interface_group) {
1073 		char *gid_str = global->params.ctrl_interface_group;
1074 		gid_t gid = 0;
1075 		struct group *grp;
1076 		char *endp;
1077 
1078 		grp = getgrnam(gid_str);
1079 		if (grp) {
1080 			gid = grp->gr_gid;
1081 			wpa_printf(MSG_DEBUG, "ctrl_interface_group=%d"
1082 				   " (from group name '%s')",
1083 				   (int) gid, gid_str);
1084 		} else {
1085 			/* Group name not found - try to parse this as gid */
1086 			gid = strtol(gid_str, &endp, 10);
1087 			if (*gid_str == '\0' || *endp != '\0') {
1088 				wpa_printf(MSG_ERROR, "CTRL: Invalid group "
1089 					   "'%s'", gid_str);
1090 				goto fail;
1091 			}
1092 			wpa_printf(MSG_DEBUG, "ctrl_interface_group=%d",
1093 				   (int) gid);
1094 		}
1095 		if (chown(ctrl, -1, gid) < 0) {
1096 			wpa_printf(MSG_ERROR,
1097 				   "chown[global_ctrl_interface=%s,gid=%d]: %s",
1098 				   ctrl, (int) gid, strerror(errno));
1099 			goto fail;
1100 		}
1101 
1102 		if (chmod(ctrl, S_IRWXU | S_IRWXG) < 0) {
1103 			wpa_printf(MSG_ERROR,
1104 				   "chmod[global_ctrl_interface=%s]: %s",
1105 				   ctrl, strerror(errno));
1106 			goto fail;
1107 		}
1108 	} else {
1109 		if (chmod(ctrl, S_IRWXU) < 0) {
1110 			wpa_printf(MSG_DEBUG,
1111 				   "chmod[global_ctrl_interface=%s](S_IRWXU): %s",
1112 				   ctrl, strerror(errno));
1113 			/* continue anyway since group change was not required
1114 			 */
1115 		}
1116 	}
1117 
1118 havesock:
1119 
1120 	/*
1121 	 * Make socket non-blocking so that we don't hang forever if
1122 	 * target dies unexpectedly.
1123 	 */
1124 	flags = fcntl(priv->sock, F_GETFL);
1125 	if (flags >= 0) {
1126 		flags |= O_NONBLOCK;
1127 		if (fcntl(priv->sock, F_SETFL, flags) < 0) {
1128 			wpa_printf(MSG_INFO, "fcntl(ctrl, O_NONBLOCK): %s",
1129 				   strerror(errno));
1130 			/* Not fatal, continue on.*/
1131 		}
1132 	}
1133 
1134 	eloop_register_read_sock(priv->sock,
1135 				 wpa_supplicant_global_ctrl_iface_receive,
1136 				 global, priv);
1137 
1138 	return 0;
1139 
1140 fail:
1141 	if (priv->sock >= 0) {
1142 		close(priv->sock);
1143 		priv->sock = -1;
1144 	}
1145 	return -1;
1146 }
1147 
1148 
1149 struct ctrl_iface_global_priv *
1150 wpa_supplicant_global_ctrl_iface_init(struct wpa_global *global)
1151 {
1152 	struct ctrl_iface_global_priv *priv;
1153 
1154 	priv = os_zalloc(sizeof(*priv));
1155 	if (priv == NULL)
1156 		return NULL;
1157 	dl_list_init(&priv->ctrl_dst);
1158 	priv->global = global;
1159 	priv->sock = -1;
1160 
1161 	if (global->params.ctrl_interface == NULL)
1162 		return priv;
1163 
1164 	if (wpas_global_ctrl_iface_open_sock(global, priv) < 0) {
1165 		os_free(priv);
1166 		return NULL;
1167 	}
1168 
1169 	wpa_msg_register_cb(wpa_supplicant_ctrl_iface_msg_cb);
1170 
1171 	return priv;
1172 }
1173 
1174 
1175 static int wpas_ctrl_iface_global_reinit(struct wpa_global *global,
1176 					 struct ctrl_iface_global_priv *priv)
1177 {
1178 	int res;
1179 
1180 	if (priv->sock <= 0)
1181 		return -1;
1182 
1183 	/*
1184 	 * On Android, the control socket being used may be the socket
1185 	 * that is created when wpa_supplicant is started as a /init.*.rc
1186 	 * service. Such a socket is maintained as a key-value pair in
1187 	 * Android's environment. Closing this control socket would leave us
1188 	 * in a bad state with an invalid socket descriptor.
1189 	 */
1190 	if (priv->android_control_socket)
1191 		return priv->sock;
1192 
1193 	eloop_unregister_read_sock(priv->sock);
1194 	close(priv->sock);
1195 	priv->sock = -1;
1196 	res = wpas_global_ctrl_iface_open_sock(global, priv);
1197 	if (res < 0)
1198 		return -1;
1199 	return priv->sock;
1200 }
1201 
1202 
1203 void
1204 wpa_supplicant_global_ctrl_iface_deinit(struct ctrl_iface_global_priv *priv)
1205 {
1206 	struct wpa_ctrl_dst *dst, *prev;
1207 
1208 	if (priv->sock >= 0) {
1209 		eloop_unregister_read_sock(priv->sock);
1210 		close(priv->sock);
1211 	}
1212 	if (priv->global->params.ctrl_interface)
1213 		unlink(priv->global->params.ctrl_interface);
1214 	dl_list_for_each_safe(dst, prev, &priv->ctrl_dst, struct wpa_ctrl_dst,
1215 			      list)
1216 		os_free(dst);
1217 	os_free(priv);
1218 }
1219