New upstream version 0.23

3 years ago · 7690b6f958
71 changed files with 1342 additions and 417 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+ver 0.23:
+	Fix issue with strict certificate chain checks.
+	Fix issue with parsing RSNE_ADVANCE information.
+	Fix issue with parsing RSN information for WPA1.
+	Fix issue with logic error in scan frequency validation.
+	Fix issue with integer overflow and authentication frames.
+	Add support for installing various manual pages.
+
 ver 0.22:
 	Fix issue with hotplug and device capability detection.
 	Add support for IPv6 network configuration handling.
--- a/Makefile.am
+++ b/Makefile.am
@ -153,9 +153,12 @@ systemd_modload_DATA = src/pkcs8.conf
 endif

 if MANUAL_PAGES
-dist_man_MANS =
+man_MANS =
 endif

+manual_pages = src/iwd.8 src/iwd.conf.5 src/iwd.network.5 \
+		client/iwctl.1 monitor/iwmon.1 wired/ead.8 tools/hwsim.1
+
 eap_sources = src/eap.c src/eap.h src/eap-private.h \
 				src/eap-wsc.c src/eap-wsc.h \
 				src/eap-md5.c \
@ -248,7 +251,7 @@ dbus_bus_DATA += src/net.connman.iwd.service
 endif

 if MANUAL_PAGES
-dist_man_MANS += src/iwd.8 src/iwd.conf.5
+man_MANS += src/iwd.8 src/iwd.conf.5 src/iwd.network.5
 endif
 endif

@ -272,7 +275,7 @@ client_iwctl_SOURCES = client/main.c \
 client_iwctl_LDADD = $(ell_ldadd) -lreadline

 if MANUAL_PAGES
-dist_man_MANS += client/iwctl.1
+man_MANS += client/iwctl.1
 endif
 endif

@ -297,7 +300,7 @@ monitor_iwmon_SOURCES = monitor/main.c linux/nl80211.h \
 monitor_iwmon_LDADD = $(ell_ldadd)

 if MANUAL_PAGES
-dist_man_MANS += monitor/iwmon.1
+man_MANS += monitor/iwmon.1
 endif
 endif

@ -322,7 +325,7 @@ dbus_bus_DATA += wired/net.connman.ead.service
 endif

 if MANUAL_PAGES
-dist_man_MANS += wired/ead.8
+man_MANS += wired/ead.8
 endif
 endif

@ -340,7 +343,7 @@ dist_dbus_data_DATA += tools/hwsim-dbus.conf
 endif

 if MANUAL_PAGES
-dist_man_MANS += tools/hwsim.1
+man_MANS += tools/hwsim.1
 endif
 endif

@ -504,9 +507,10 @@ TESTS = $(unit_tests)

 EXTRA_DIST = src/genbuiltin src/iwd.service.in src/net.connman.iwd.service \
 			wired/ead.service.in wired/net.connman.ead.service \
-			src/pkcs8.conf src/iwd.rst wired/ead.rst \
-			client/iwctl.rst monitor/iwmon.rst tools/hwsim.rst \
-			doc/main.conf unit/gencerts.cnf
+			src/pkcs8.conf doc/main.conf unit/gencerts.cnf \
+			$(manual_pages) $(patsubst %.1,%.rst, \
+					$(patsubst %.5,%.rst, \
+					$(patsubst %.8,%.rst,$(manual_pages))))

 AM_CFLAGS = $(ell_cflags) -fvisibility=hidden \
 				-DUNITDIR=\""$(top_srcdir)/unit/"\" \
@ -525,7 +529,7 @@ DISTCHECK_CONFIGURE_FLAGS = --disable-dbus-policy --disable-systemd-service \
 				--enable-hwsim \
 				--enable-tools

-DISTCLEANFILES = $(BUILT_SOURCES) $(unit_tests) $(dist_man_MANS)
+DISTCLEANFILES = $(BUILT_SOURCES) $(unit_tests) $(manual_pages)

 MAINTAINERCLEANFILES = Makefile.in configure config.h.in aclocal.m4

--- a/Makefile.in
+++ b/Makefile.in
@ -102,7 +102,7 @@ noinst_PROGRAMS = $(am__EXEEXT_6) $(am__EXEEXT_9)
@DAEMON_TRUE@@SYSTEMD_SERVICE_TRUE@am__append_7 = src/iwd.service
@DAEMON_TRUE@@SYSTEMD_SERVICE_TRUE@am__append_8 = src/iwd.service
@DAEMON_TRUE@@SYSTEMD_SERVICE_TRUE@am__append_9 = src/net.connman.iwd.service
-@DAEMON_TRUE@@MANUAL_PAGES_TRUE@am__append_10 = src/iwd.8 src/iwd.conf.5
+@DAEMON_TRUE@@MANUAL_PAGES_TRUE@am__append_10 = src/iwd.8 src/iwd.conf.5 src/iwd.network.5
@CLIENT_TRUE@am__append_11 = client/iwctl
@CLIENT_TRUE@@MANUAL_PAGES_TRUE@am__append_12 = client/iwctl.1
@MONITOR_TRUE@am__append_13 = monitor/iwmon
@ -642,7 +642,7 @@ man1dir = $(mandir)/man1
 man5dir = $(mandir)/man5
 man8dir = $(mandir)/man8
 NROFF = nroff
-MANS = $(dist_man_MANS)
+MANS = $(man_MANS)
 am__dist_dbus_data_DATA_DIST = src/iwd-dbus.conf wired/ead-dbus.conf \
 	tools/hwsim-dbus.conf
 DATA = $(dbus_bus_DATA) $(dist_dbus_data_DATA) $(systemd_modload_DATA) \
@ -845,8 +845,8 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log)
 TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver
 TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
 	$(TEST_LOG_FLAGS)
-am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \
-	$(srcdir)/config.h.in $(top_srcdir)/build-aux/compile \
+am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/config.h.in \
+	$(top_srcdir)/build-aux/compile \
 	$(top_srcdir)/build-aux/config.guess \
 	$(top_srcdir)/build-aux/config.sub \
 	$(top_srcdir)/build-aux/depcomp \
@ -1137,9 +1137,12 @@ builtin_sources = $(am__append_3) $(am__append_5)
@SYSTEMD_SERVICE_TRUE@dbus_bus_DATA = $(am__append_9) $(am__append_19)
@SYSTEMD_SERVICE_TRUE@systemd_modloaddir = @SYSTEMD_MODLOADDIR@
@SYSTEMD_SERVICE_TRUE@systemd_modload_DATA = src/pkcs8.conf
-@MANUAL_PAGES_TRUE@dist_man_MANS = $(am__append_10) $(am__append_12) \
+@MANUAL_PAGES_TRUE@man_MANS = $(am__append_10) $(am__append_12) \
@MANUAL_PAGES_TRUE@	$(am__append_14) $(am__append_20) \
@MANUAL_PAGES_TRUE@	$(am__append_23)
+manual_pages = src/iwd.8 src/iwd.conf.5 src/iwd.network.5 \
+		client/iwctl.1 monitor/iwmon.1 wired/ead.8 tools/hwsim.1
+
 eap_sources = src/eap.c src/eap.h src/eap-private.h \
 				src/eap-wsc.c src/eap-wsc.h \
 				src/eap-md5.c \
@ -1392,9 +1395,10 @@ unit_test_p2p_SOURCES = unit/test-p2p.c src/wscutil.h src/wscutil.c \
 unit_test_p2p_LDADD = $(ell_ldadd)
 EXTRA_DIST = src/genbuiltin src/iwd.service.in src/net.connman.iwd.service \
 			wired/ead.service.in wired/net.connman.ead.service \
-			src/pkcs8.conf src/iwd.rst wired/ead.rst \
-			client/iwctl.rst monitor/iwmon.rst tools/hwsim.rst \
-			doc/main.conf unit/gencerts.cnf
+			src/pkcs8.conf doc/main.conf unit/gencerts.cnf \
+			$(manual_pages) $(patsubst %.1,%.rst, \
+					$(patsubst %.5,%.rst, \
+					$(patsubst %.8,%.rst,$(manual_pages))))

 AM_CFLAGS = $(ell_cflags) -fvisibility=hidden \
 	-DUNITDIR=\""$(top_srcdir)/unit/"\" \
@ -1407,7 +1411,7 @@ DISTCHECK_CONFIGURE_FLAGS = --disable-dbus-policy --disable-systemd-service \
 				--enable-hwsim \
 				--enable-tools

-DISTCLEANFILES = $(BUILT_SOURCES) $(unit_tests) $(dist_man_MANS)
+DISTCLEANFILES = $(BUILT_SOURCES) $(unit_tests) $(manual_pages)
 MAINTAINERCLEANFILES = Makefile.in configure config.h.in aclocal.m4
 true_redirect_openssl = 2>&1
 false_redirect_openssl = 2>/dev/null
@ -2212,10 +2216,10 @@ clean-libtool:

 distclean-libtool:
 	-rm -f libtool config.lt
-install-man1: $(dist_man_MANS)
+install-man1: $(man_MANS)
 	@$(NORMAL_INSTALL)
 	@list1=''; \
-	list2='$(dist_man_MANS)'; \
+	list2='$(man_MANS)'; \
 	test -n "$(man1dir)" \
 	  && test -n "`echo $$list1$$list2`" \
 	  || exit 0; \
@ -2250,15 +2254,15 @@ uninstall-man1:
 	@$(NORMAL_UNINSTALL)
 	@list=''; test -n "$(man1dir)" || exit 0; \
 	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
 	  sed -n '/\.1[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
 	dir='$(DESTDIR)$(man1dir)'; $(am__uninstall_files_from_dir)
-install-man5: $(dist_man_MANS)
+install-man5: $(man_MANS)
 	@$(NORMAL_INSTALL)
 	@list1=''; \
-	list2='$(dist_man_MANS)'; \
+	list2='$(man_MANS)'; \
 	test -n "$(man5dir)" \
 	  && test -n "`echo $$list1$$list2`" \
 	  || exit 0; \
@ -2293,15 +2297,15 @@ uninstall-man5:
 	@$(NORMAL_UNINSTALL)
 	@list=''; test -n "$(man5dir)" || exit 0; \
 	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
 	  sed -n '/\.5[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
 	dir='$(DESTDIR)$(man5dir)'; $(am__uninstall_files_from_dir)
-install-man8: $(dist_man_MANS)
+install-man8: $(man_MANS)
 	@$(NORMAL_INSTALL)
 	@list1=''; \
-	list2='$(dist_man_MANS)'; \
+	list2='$(man_MANS)'; \
 	test -n "$(man8dir)" \
 	  && test -n "`echo $$list1$$list2`" \
 	  || exit 0; \
@ -2336,7 +2340,7 @@ uninstall-man8:
 	@$(NORMAL_UNINSTALL)
 	@list=''; test -n "$(man8dir)" || exit 0; \
 	files=`{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+	l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
 	  sed -n '/\.8[a-z]*$$/p'; \
 	} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
 	      -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
--- a/4
+++ b/4
@ -61,7 +61,9 @@ Manual pages

 The manual pages are generated from reStructuredText markup source files
 during the normal build process. The generation requires the rst2man utility
-from Python Docutils project.
+from Python Docutils project. If rst2man is for some reason not available,
+using --disable-manual-pages will skip the manual pages generation and
+installation.

 When building from the tarballs, a copy of the generated manual pages is
 included and the rst2man utility is actually not needed.
--- a/19
+++ b/19
@ -158,25 +158,6 @@ Wireless simulator
 Wireless daemon
 ===============

- Let EAP methods configure timeouts
-
-  Different EAP methods might have different recommendations for various
-  timeouts.  E.g. retransmit timeout, overall timeout, etc.  The EAP framework
-  should be updated to enable EAP methods to configure these timeouts
-  accordingly.  A sane default should also be provided.
-
-  Priority: High
-  Complexity: C2
-
- EAPoL should take EAP timeouts into consideration
-
-  EAPoL state machine currently uses its own (very short) timeout for the
-  4-Way handshake / session key generation.  This timeout does not take into
-  account the fact that EAP authentication might need to be performed first.
-
-  Priority: High
-  Complexity: C1
-
 - Add unit test data with 2nd RSNE in Authenticator 3/4 message

  The specification allows the AP to send a second RSN element in its 4-way
--- a/client/agent.c
+++ b/client/agent.c
@ -240,7 +240,7 @@ static struct l_dbus_message *request_user_password_command_option(
 						struct l_dbus_message *message)
 {
 	struct l_dbus_message *reply;
-	const char *password;
+	const char *password = NULL;

 	command_option_get(COMMAND_OPTION_PASSWORD, &password);
 	if (!password)
--- a/client/dbus-proxy.c
+++ b/client/dbus-proxy.c
@ -651,7 +651,9 @@ static void interfaces_added_callback(struct l_dbus_message *message,
 	if (dbus_message_has_error(message))
 		return;

-	l_dbus_message_get_arguments(message, "oa{sa{sv}}", &path, &object);
+	if (!l_dbus_message_get_arguments(message, "oa{sa{sv}}", &path,
+								&object))
+		return;

 	proxy_interface_create(path, &object);
 }
@ -667,7 +669,8 @@ static void interfaces_removed_callback(struct l_dbus_message *message,
 	if (dbus_message_has_error(message))
 		return;

-	l_dbus_message_get_arguments(message, "oas", &path, &interfaces);
+	if (!l_dbus_message_get_arguments(message, "oas", &path, &interfaces))
+		return;

 	while (l_dbus_message_iter_next_entry(&interfaces, &interface)) {
 		proxy = proxy_interface_find(interface, path);
@ -699,7 +702,16 @@ static void get_managed_objects_callback(struct l_dbus_message *message,
 		return;
 	}

-	l_dbus_message_get_arguments(message, "a{oa{sa{sv}}}", &objects);
+	if (!l_dbus_message_get_arguments(message, "a{oa{sa{sv}}}", &objects)) {
+		l_error("Failed to parse IWD dbus objects, quitting...\n");
+
+		if (!command_is_interactive_mode())
+			command_set_exit_status(EXIT_FAILURE);
+
+		l_main_quit();
+
+		return;
+	}

 	while (l_dbus_message_iter_next_entry(&objects, &path, &object))
 		proxy_interface_create(path, &object);
--- a/client/display.c
+++ b/client/display.c
@ -180,7 +180,8 @@ void display_refresh_set_cmd(const char *family, const char *entity,
 		return;
 	}

-	if (display_refresh.family && !strcmp(display_refresh.family, family)) {
+	if (display_refresh.family && family &&
+				!strcmp(display_refresh.family, family)) {
 		struct l_string *buf = l_string_new(128);
 		L_AUTO_FREE_VAR(char *, args);
 		char *prompt;
@ -205,10 +206,10 @@ void display_refresh_set_cmd(const char *family, const char *entity,

 		args = l_string_unwrap(buf);

-		prompt = l_strdup_printf(IWD_PROMPT"%s%s%s %s %s\n",
-					family ? : "",
-					entity ? " " : "", entity ? : "",
-					cmd->cmd ? : "", args ? : "");
+		prompt = l_strdup_printf(IWD_PROMPT"%s%s%s %s %s\n", family,
+						entity ? " " : "",
+						entity ? : "",
+						cmd->cmd ? : "", args ? : "");

 		l_queue_push_tail(display_refresh.redo_entries, prompt);
 		display_refresh.undo_lines++;
--- a/client/station.c
+++ b/client/station.c
@ -338,7 +338,6 @@ static void ordered_networks_display(struct l_queue *ordered_networks)
 {
 	char *dbms = NULL;
 	const struct l_queue_entry *entry;
-	bool is_first;

 	display_table_header("Available networks", "%s%-*s%-*s%-*s%*s",
 					MARGIN, 2, "", 32, "Network name",
@ -351,7 +350,7 @@ static void ordered_networks_display(struct l_queue *ordered_networks)
 		return;
 	}

-	for (is_first = true, entry = l_queue_get_entries(ordered_networks);
+	for (entry = l_queue_get_entries(ordered_networks);
 						entry; entry = entry->next) {
 		struct ordered_network *network = entry->data;
 		const struct proxy_interface *network_i =
@ -362,24 +361,17 @@ static void ordered_networks_display(struct l_queue *ordered_networks)
 		if (display_signal_as_dbms)
 			dbms = l_strdup_printf("%d", network->signal_strength);

-		if (is_first && network_is_connected(network_i)) {
-			display("%s%-*s%-*s%-*s%-*s\n", MARGIN,
-				2, COLOR_BOLDGRAY "> " COLOR_OFF,
-				32, network_name, 10, network_type,
-				6, display_signal_as_dbms ? dbms :
-					dbms_tostars(network->signal_strength));
+		display("%s%-*s%-*s%-*s%-*s\n", MARGIN, 2,
+			network_is_connected(network_i) ?
+				COLOR_BOLDGRAY "> " COLOR_OFF : "",
+			32, network_name, 10, network_type,
+			6, display_signal_as_dbms ? dbms :
+				dbms_tostars(network->signal_strength));

+		if (display_signal_as_dbms) {
 			l_free(dbms);
-			is_first = false;
-			continue;
+			dbms = NULL;
 		}
-
-		display("%s%-*s%-*s%-*s%-*s\n", MARGIN, 2, "",
-				32, network_name, 10, network_type,
-				6, display_signal_as_dbms ? dbms :
-					dbms_tostars(network->signal_strength));
-
-		l_free(dbms);
 	}

 	display_table_footer();
--- a/22
+++ b/22
@ -1,6 +1,6 @@
 #! /bin/sh
 # Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for iwd 0.22.
+# Generated by GNU Autoconf 2.69 for iwd 0.23.
 #
 #
 # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@ -587,8 +587,8 @@ MAKEFLAGS=
 # Identity of this package.
 PACKAGE_NAME='iwd'
 PACKAGE_TARNAME='iwd'
-PACKAGE_VERSION='0.22'
-PACKAGE_STRING='iwd 0.22'
+PACKAGE_VERSION='0.23'
+PACKAGE_STRING='iwd 0.23'
 PACKAGE_BUGREPORT=''
 PACKAGE_URL=''

@ -1391,7 +1391,7 @@ if test "$ac_init_help" = "long"; then
  # Omit some internal or obsolete options to make the list less imposing.
  # This message is too long to be a string in the A/UX 3.1 sh.
  cat <<_ACEOF
-\`configure' configures iwd 0.22 to adapt to many kinds of systems.
+\`configure' configures iwd 0.23 to adapt to many kinds of systems.

 Usage: $0 [OPTION]... [VAR=VALUE]...

@ -1462,7 +1462,7 @@ fi

 if test -n "$ac_init_help"; then
  case $ac_init_help in
-     short | recursive ) echo "Configuration of iwd 0.22:";;
+     short | recursive ) echo "Configuration of iwd 0.23:";;
   esac
  cat <<\_ACEOF

@ -1608,7 +1608,7 @@ fi
 test -n "$ac_init_help" && exit $ac_status
 if $ac_init_version; then
  cat <<\_ACEOF
-iwd configure 0.22
+iwd configure 0.23
 generated by GNU Autoconf 2.69

 Copyright (C) 2012 Free Software Foundation, Inc.
@ -1973,7 +1973,7 @@ cat >config.log <<_ACEOF
 This file contains any messages produced by compilers while
 running configure, to aid debugging if configure makes a mistake.

-It was created by iwd $as_me 0.22, which was
+It was created by iwd $as_me 0.23, which was
 generated by GNU Autoconf 2.69.  Invocation command line was

  $ $0 $@
@ -2841,7 +2841,7 @@ fi

 # Define the identity of the package.
 PACKAGE='iwd'
- VERSION='0.22'
+ VERSION='0.23'


 cat >>confdefs.h <<_ACEOF
@ -13231,7 +13231,7 @@ if (test "${enable_external_ell}" = "yes"); then
 			test "${enable_monitor}" != "no" ||
 			test "${enable_wired}" = "yes" ||
 			test "${enable_hwsim}" = "yes"); then
-		ell_min_version="0.24"
+		ell_min_version="0.25"
 	else
 		ell_min_version="0.5"
 	fi
@ -13978,7 +13978,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
 # report actual input values of CONFIG_FILES etc. instead of their
 # values after options handling.
 ac_log="
-This file was extended by iwd $as_me 0.22, which was
+This file was extended by iwd $as_me 0.23, which was
 generated by GNU Autoconf 2.69.  Invocation command line was

  CONFIG_FILES    = $CONFIG_FILES
@ -14044,7 +14044,7 @@ _ACEOF
 cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
 ac_cs_version="\\
-iwd config.status 0.22
+iwd config.status 0.23
 configured by $0, generated by GNU Autoconf 2.69,
  with options \\"\$ac_cs_config\\"

--- a/configure.ac
+++ b/configure.ac
@ -1,5 +1,5 @@
 AC_PREREQ(2.60)
-AC_INIT(iwd, 0.22)
+AC_INIT(iwd, 0.23)

 AC_CONFIG_HEADERS(config.h)
 AC_CONFIG_AUX_DIR(build-aux)
@ -244,7 +244,7 @@ if (test "${enable_external_ell}" = "yes"); then
 			test "${enable_monitor}" != "no" ||
 			test "${enable_wired}" = "yes" ||
 			test "${enable_hwsim}" = "yes"); then
-		ell_min_version="0.24"
+		ell_min_version="0.25"
 	else
 		ell_min_version="0.5"
 	fi
--- a/ell/cert.c
+++ b/ell/cert.c
@ -356,27 +356,6 @@ LIB_EXPORT void l_certchain_walk_from_ca(struct l_certchain *chain,
 			break;
 }

-LIB_EXPORT bool l_certchain_find(struct l_certchain *chain,
-					struct l_queue *ca_certs)
-{
-	if (unlikely(!chain || !chain->leaf))
-		return false;
-
-	/* Nothing to do if no CA certificates supplied */
-	if (!ca_certs)
-		return true;
-
-	/*
-	 * Also nothing to do if the user already supplied a working
-	 * certificate chain.
-	 */
-	if (l_certchain_verify(chain, ca_certs, NULL))
-		return true;
-
-	/* Actual search for a chain to the CA cert is unimplemented, fail */
-	return false;
-}
-
 static struct l_keyring *cert_set_to_keyring(struct l_queue *certs, char *error)
 {
 	struct l_keyring *ring;
--- a/ell/cert.h
+++ b/ell/cert.h
@ -56,7 +56,6 @@ void l_certchain_walk_from_leaf(struct l_certchain *chain,
 void l_certchain_walk_from_ca(struct l_certchain *chain,
 				l_cert_walk_cb_t cb, void *user_data);

-bool l_certchain_find(struct l_certchain *chain, struct l_queue *ca_certs);
 bool l_certchain_verify(struct l_certchain *chain, struct l_queue *ca_certs,
 			const char **error);

--- a/ell/dbus-client.c
+++ b/ell/dbus-client.c
@ -546,7 +546,8 @@ static void get_managed_objects_reply(struct l_dbus_message *message,
 	if (l_dbus_message_is_error(message))
 		return;

-	l_dbus_message_get_arguments(message, "a{oa{sa{sv}}}", &objects);
+	if (!l_dbus_message_get_arguments(message, "a{oa{sa{sv}}}", &objects))
+		return;

 	while (l_dbus_message_iter_next_entry(&objects, &path, &object))
 		parse_object(client, path, &object);
--- a/ell/dbus-service.c
+++ b/ell/dbus-service.c
@ -1614,7 +1614,8 @@ bool _dbus_object_tree_remove_interface(struct _dbus_object_tree *tree,
 						match_object_manager_path,
 						(char *) path);

-		object_manager_free(manager);
+		if (manager)
+			object_manager_free(manager);
 	}

 	for (entry = l_queue_get_entries(tree->object_managers); entry;
--- a/ell/dhcp.c
+++ b/ell/dhcp.c
@ -460,7 +460,7 @@ static uint16_t dhcp_attempt_secs(uint64_t start)
 */
 static uint64_t dhcp_fuzz_secs(uint32_t secs)
 {
-	uint64_t ms = secs * 1000;
+	uint64_t ms = secs * 1000ULL;
 	uint32_t r = l_getrandom_uint32();

 	/*
@ -941,8 +941,11 @@ static void dhcp_client_rx_message(const void *data, size_t len, void *userdata)
 		CLIENT_ENTER_STATE(DHCP_STATE_REQUESTING);
 		client->attempt = 1;

-		if (dhcp_client_send_request(client) < 0)
-			goto error;
+		if (dhcp_client_send_request(client) < 0) {
+			l_dhcp_client_stop(client);
+
+			return;
+		}

 		l_timeout_modify_ms(client->timeout_resend, dhcp_fuzz_secs(4));
 		break;
@ -950,9 +953,11 @@ static void dhcp_client_rx_message(const void *data, size_t len, void *userdata)
 	case DHCP_STATE_RENEWING:
 	case DHCP_STATE_REBINDING:
 		if (msg_type == DHCP_MESSAGE_TYPE_NAK) {
+			l_dhcp_client_stop(client);
+
 			dhcp_client_event_notify(client,
 					L_DHCP_CLIENT_EVENT_NO_LEASE);
-			goto error;
+			return;
 		}

 		if (msg_type != DHCP_MESSAGE_TYPE_ACK)
@ -993,11 +998,6 @@ static void dhcp_client_rx_message(const void *data, size_t len, void *userdata)
 	case DHCP_STATE_BOUND:
 		break;
 	}
-
-	return;
-
-error:
-	l_dhcp_client_stop(client);
 }

 LIB_EXPORT struct l_dhcp_client *l_dhcp_client_new(uint32_t ifindex)
--- a/ell/genl.c
+++ b/ell/genl.c
@ -755,7 +755,7 @@ static bool msg_grow(struct l_genl_msg *msg, uint32_t needed)
 	if (msg->size >= msg->len + needed)
 		return true;

-	grow_by = msg->size - needed;
+	grow_by = msg->len + needed - msg->size;

 	if (grow_by < 32)
 		grow_by = 128;
--- a/ell/pem.c
+++ b/ell/pem.c
@ -266,6 +266,9 @@ LIB_EXPORT uint8_t *l_pem_load_file(const char *filename,
 	struct pem_file_info file;
 	uint8_t *result;

+	if (unlikely(!filename))
+		return NULL;
+
 	if (pem_file_open(&file, filename) < 0)
 		return NULL;

@ -374,6 +377,9 @@ LIB_EXPORT struct l_queue *l_pem_load_certificate_list(const char *filename)
 	struct pem_file_info file;
 	struct l_queue *list = NULL;

+	if (unlikely(!filename))
+		return NULL;
+
 	if (pem_file_open(&file, filename) < 0)
 		return NULL;

--- a/ell/tls-suites.c
+++ b/ell/tls-suites.c
@ -774,6 +774,7 @@ static bool tls_send_dhe_server_key_xchg(struct l_tls *tls)
 		goto free_params;
 	}

+	memset(public_buf, 0, sizeof(public_buf));
 	public_len = params->prime_len;

 	if (!l_key_compute_dh_public(params->generator, params->private,
@ -981,6 +982,7 @@ static bool tls_send_dhe_client_key_xchg(struct l_tls *tls)
 	size_t pre_master_secret_len;

 	public_len = params->prime_len;
+	memset(public_buf, 0, sizeof(public_buf));

 	if (!l_key_compute_dh_public(params->generator, params->private,
 					params->prime, public_buf,
--- a/ell/tls.c
+++ b/ell/tls.c
@ -1094,13 +1094,6 @@ static bool tls_send_certificate(struct l_tls *tls)
 		return false;
 	}

-	if (tls->cert && !l_certchain_find(tls->cert, tls->ca_certs)) {
-		TLS_DISCONNECT(TLS_ALERT_INTERNAL_ERROR, TLS_ALERT_UNKNOWN_CA,
-				"Can't find certificate chain to local "
-				"CA cert");
-		return false;
-	}
-
 	/*
 	 * TODO: check that the certificate is compatible with hash and
 	 * signature algorithms lists supplied to us in the Client Hello
--- a/ell/util.c
+++ b/ell/util.c
@ -398,7 +398,8 @@ LIB_EXPORT char *l_util_hexstring_upper(const unsigned char *buf, size_t len)
 * @str: Null-terminated string containing the hex-encoded bytes
 * @out_len: Number of bytes decoded
 *
- * Returns: a newly allocated byte array
+ * Returns: a newly allocated byte array.  Empty strings are treated as
+ * an error condition.
 **/
 LIB_EXPORT unsigned char *l_util_from_hexstring(const char *str,
 							size_t *out_len)
@ -420,6 +421,9 @@ LIB_EXPORT unsigned char *l_util_from_hexstring(const char *str,
 		return NULL;
 	}

+	if (!i)
+		return NULL;
+
 	if ((i % 2) != 0)
 		return NULL;

--- a/monitor/main.c
+++ b/monitor/main.c
@ -221,6 +221,12 @@ static struct l_netlink *rtm_interface_send_message(struct l_netlink *rtnl,
 			return NULL;
 	}

+	if (!rtnl)
+		rtnl = l_netlink_new(NETLINK_ROUTE);
+
+	if (!rtnl)
+		return NULL;
+
 	bufsize = NLMSG_LENGTH(sizeof(struct ifinfomsg)) +
 		RTA_SPACE(ifname_len) + RTA_SPACE(0) +
 		RTA_SPACE(nlmon_type_len);
@ -231,12 +237,6 @@ static struct l_netlink *rtm_interface_send_message(struct l_netlink *rtnl,
 	rtmmsg->ifi_family = AF_UNSPEC;
 	rtmmsg->ifi_change = ~0;

-	if (!rtnl)
-		rtnl = l_netlink_new(NETLINK_ROUTE);
-
-	if (!rtnl)
-		return NULL;
-
 	rta_buf = rtmmsg + 1;

 	if (ifname)
@ -250,7 +250,6 @@ static struct l_netlink *rtm_interface_send_message(struct l_netlink *rtnl,
 	linkinfo_rta->rta_len = rta_buf - (void *) linkinfo_rta;

 	switch (rtm_msg_type) {
-
 	case RTM_NEWLINK:
 		rtmmsg->ifi_flags = IFF_UP | IFF_ALLMULTI | IFF_NOARP;

@ -275,8 +274,8 @@ static struct l_netlink *rtm_interface_send_message(struct l_netlink *rtnl,

 	default:
 		l_netlink_destroy(rtnl);
-		l_free(rtmmsg);
-		return NULL;
+		rtnl = NULL;
+		break;
 	}

 	l_free(rtmmsg);
--- a/monitor/nlmon.c
+++ b/monitor/nlmon.c
@ -3013,8 +3013,9 @@ static void print_p2p_channel_list(unsigned int level, const char *label,

 	while (size) {
 		uint8_t channels;
-		char str[128];
-		int pos = 0;
+		struct l_string *string;
+		char *str;
+		bool first = true;

 		if (size < 2 || size < 2 + bytes[1]) {
 			printf("malformed P2P %s\n", label);
@ -3025,11 +3026,18 @@ static void print_p2p_channel_list(unsigned int level, const char *label,
 		channels = *bytes++;
 		size -= 2 + channels;

-		while (channels--)
-			snprintf(str + pos, sizeof(str) - pos, "%s%u",
-					pos ? ", " : "", (int) *bytes++);
+		string = l_string_new(128);

+		while (channels--) {
+			l_string_append_printf(string, "%s%u",
+						first ? "" : ", ",
+						(int ) *bytes++);
+			first = false;
+		}
+
+		str = l_string_unwrap(string);
 		print_attr(level + 2, "%s", str);
+		l_free(str);
 	}
 }

@ -3669,7 +3677,6 @@ static void print_authentication_mgmt_frame(unsigned int level,
 {
 	const char *str;
 	const struct mmpdu_authentication *body;
-	struct ie_tlv_iter iter;

 	if (!mmpdu)
 		return;
@ -3710,13 +3717,8 @@ static void print_authentication_mgmt_frame(unsigned int level,
 			L_LE16_TO_CPU(body->transaction_sequence) > 3)
 		return;

-	ie_tlv_iter_init(&iter, body->ies, (const uint8_t *) mmpdu + size -
-				body->ies);
-	ie_tlv_iter_next(&iter);
-
-	print_attr(level + 1, "Challenge text: \"%s\" (%u)",
-				ie_tlv_iter_get_data(&iter),
-				ie_tlv_iter_get_length(&iter));
+	print_ie(level + 1, "IEs", body->ies,
+			(const uint8_t *) mmpdu + size - body->ies);
 }

 static void print_deauthentication_mgmt_frame(unsigned int level,
--- a/plugins/ofono.c
+++ b/plugins/ofono.c
@ -624,7 +624,8 @@ static void interfaces_changed_cb(struct l_dbus_message *message,
 	struct l_dbus_message_iter value;
 	const char *key;

-	l_dbus_message_get_arguments(message, "sv", &key, &value);
+	if (!l_dbus_message_get_arguments(message, "sv", &key, &value))
+		return;

 	if (!strcmp(key, "Interfaces"))
 		parse_interfaces(&value, modem);
@ -718,10 +719,11 @@ static void get_modems_cb(struct l_dbus_message *reply, void *user_data)

 	modems = l_queue_new();

-	l_dbus_message_get_arguments(reply, "a(oa{sv})", &modem_list);
-
-	while (l_dbus_message_iter_next_entry(&modem_list, &path, &props))
-		parse_modem(path, &props);
+	if (l_dbus_message_get_arguments(reply, "a(oa{sv})", &modem_list)) {
+		while (l_dbus_message_iter_next_entry(&modem_list, &path,
+									&props))
+			parse_modem(path, &props);
+	}

 	/* watch for modems being added/removed */
 	modem_add_watch = l_dbus_add_signal_watch(dbus_get_bus(),
--- a/src/agent.c
+++ b/src/agent.c
@ -29,6 +29,7 @@
 #include <ell/ell.h>
 #include "src/dbus.h"
 #include "src/agent.h"
+#include "src/iwd.h"

 static unsigned int next_request_id = 0;

@ -619,8 +620,10 @@ static bool release_agent(void *data, void *user_data)
 	return true;
 }

-bool agent_init(struct l_dbus *dbus)
+static int agent_init(void)
 {
+	struct l_dbus *dbus = dbus_get_bus();
+
 	agents = l_queue_new();

 	if (!l_dbus_register_interface(dbus, IWD_AGENT_MANAGER_INTERFACE,
@ -628,7 +631,7 @@ bool agent_init(struct l_dbus *dbus)
 						NULL, false)) {
 		l_info("Unable to register %s interface",
 				IWD_AGENT_MANAGER_INTERFACE);
-		return false;
+		return -EIO;
 	}

 	if (!l_dbus_object_add_interface(dbus, IWD_AGENT_MANAGER_PATH,
@ -637,24 +640,26 @@ bool agent_init(struct l_dbus *dbus)
 		l_info("Unable to register the agent manager object on '%s'",
 				IWD_AGENT_MANAGER_PATH);
 		l_dbus_unregister_interface(dbus, IWD_AGENT_MANAGER_INTERFACE);
-		return false;
+		return -EIO;
 	}

-	return true;
+	return 0;
 }

-bool agent_exit(struct l_dbus *dbus)
+static void agent_exit(void)
 {
+	struct l_dbus *dbus = dbus_get_bus();
+
 	l_dbus_unregister_object(dbus, IWD_AGENT_MANAGER_PATH);
 	l_dbus_unregister_interface(dbus, IWD_AGENT_MANAGER_INTERFACE);

 	l_queue_destroy(agents, agent_free);
 	agents = NULL;
-
-	return true;
 }

 void agent_shutdown(void)
 {
 	l_queue_foreach_remove(agents, release_agent, NULL);
 }
+
+IWD_MODULE(agent, agent_init, agent_exit);
--- a/src/agent.h
+++ b/src/agent.h
@ -37,8 +37,6 @@ typedef void (*agent_request_user_name_passwd_func_t) (enum agent_result result,
 					void *user_data);
 typedef void (*agent_request_destroy_func_t)(void *user_data);

-bool agent_init(struct l_dbus *dbus);
-bool agent_exit(struct l_dbus *dbus);
 void agent_shutdown(void);

 unsigned int agent_request_passphrase(const char *path,
--- a/src/anqp.c
+++ b/src/anqp.c
@ -287,6 +287,9 @@ uint32_t anqp_request(uint32_t ifindex, const uint8_t *addr,
 	uint32_t duration = 300;
 	struct netdev *netdev = netdev_find(ifindex);

+	if (!netdev)
+		return 0;
+
 	/*
 	 * TODO: Netdev dependencies will eventually be removed so we need
 	 * another way to figure out wiphy capabilities.
@ -474,11 +477,11 @@ static void anqp_mlme_notify(struct l_genl_msg *msg, void *user_data)
 	}
 }

-bool anqp_init(struct l_genl_family *in)
+static int anqp_init(void)
 {
 	struct l_genl *genl = iwd_get_genl();

-	nl80211 = in;
+	nl80211 = l_genl_family_new(genl, NL80211_GENL_NAME);

 	anqp_requests = l_queue_new();

@ -492,13 +495,14 @@ bool anqp_init(struct l_genl_family *in)
 								NULL, NULL))
 		l_error("Registering for MLME notification failed");

-	return true;
+	return 0;
 }

-void anqp_exit(void)
+static void anqp_exit(void)
 {
 	struct l_genl *genl = iwd_get_genl();

+	l_genl_family_free(nl80211);
 	nl80211 = NULL;

 	l_queue_destroy(anqp_requests, anqp_destroy);
@ -507,3 +511,6 @@ void anqp_exit(void)

 	l_genl_remove_unicast_watch(genl, unicast_watch);
 }
+
+IWD_MODULE(anqp, anqp_init, anqp_exit);
+IWD_MODULE_DEPENDS(anqp, netdev);
--- a/src/anqp.h
+++ b/src/anqp.h
@ -38,6 +38,3 @@ uint32_t anqp_request(uint32_t ifindex, const uint8_t *addr,
 			struct scan_bss *bss, const uint8_t *anqp, size_t len,
 			anqp_response_func_t cb, void *user_data,
 			anqp_destroy_func_t destroy);
-
-bool anqp_init(struct l_genl_family *in);
-void anqp_exit(void);
--- a/src/ap.c
+++ b/src/ap.c
@ -951,7 +951,7 @@ bad_frame:
 	 *
 	 * For now, we need to drop the RSNA.
 	 */
-	if (sta && sta->associated && sta->rsna)
+	if (sta->associated && sta->rsna)
 		ap_drop_rsna(sta);

 	if (rates)
--- a/src/backtrace.c
+++ b/src/backtrace.c
@ -114,7 +114,7 @@ void __iwd_backtrace_print(unsigned int offset)
 		if (written < 0)
 			break;

-		len = read(infd[0], buf, sizeof(buf));
+		len = read(infd[0], buf, sizeof(buf) - 1);
 		if (len < 0)
 			break;

@ -130,6 +130,9 @@ void __iwd_backtrace_print(unsigned int offset)
 		}

 		ptr = strchr(pos, '\n');
+		if (!ptr)
+			continue;
+
 		*ptr++ = '\0';

 		if (strncmp(pos, program_path, pathlen) == 0)
--- a/src/crypto.c
+++ b/src/crypto.c
@ -706,6 +706,7 @@ bool hkdf_extract(enum l_checksum_type type, const uint8_t *key,
 	}

 	if (!l_checksum_updatev(hmac, iov, num_args)) {
+		l_checksum_free(hmac);
 		va_end(va);
 		return false;
 	}
--- a/src/dbus.c
+++ b/src/dbus.c
@ -210,12 +210,11 @@ struct l_dbus *dbus_get_bus(void)
 bool dbus_init(struct l_dbus *dbus)
 {
 	g_dbus = dbus;
-	return agent_init(dbus);
+	return true;
 }

 void dbus_exit(void)
 {
-	agent_exit(g_dbus);
 	g_dbus = NULL;
 }

--- a/src/eap-pwd.c
+++ b/src/eap-pwd.c
@ -115,8 +115,10 @@ static bool kdf(uint8_t *key, size_t key_len, const char *label,
 		iov[iov_pos].iov_base = &L;
 		iov[iov_pos++].iov_len = 2;

-		if (!l_checksum_updatev(hmac, iov, iov_pos))
+		if (!l_checksum_updatev(hmac, iov, iov_pos)) {
+			l_checksum_free(hmac);
 			return false;
+		}

 		l_checksum_get_digest(hmac, out + len, minsize(olen - len, 32));
 		l_checksum_free(hmac);
--- a/src/eap-tls-common.c
+++ b/src/eap-tls-common.c
@ -900,16 +900,15 @@ int eap_tls_common_settings_check(struct l_settings *settings,
 			goto done;
 		}

-		if (!l_certchain_verify(cert, cacerts, &error_str)) {
-			if (cacerts)
-				l_error("Certificate chain %s is not trusted "
-					"by any CA in %s or fails verification"
-					": %s", client_cert, value, error_str);
-			else
-				l_error("Certificate chain %s fails "
-					"verification: %s",
-					client_cert, error_str);
-
+		/*
+		 * Sanity check that certchain provided is valid.  We do not
+		 * verify the certchain against the provided CA, since the
+		 * CA that issued user certificates might be different from
+		 * the one that is used to verify the peer
+		 */
+		if (!l_certchain_verify(cert, NULL, &error_str)) {
+			l_error("Certificate chain %s fails verification: %s",
+				client_cert, error_str);
 			ret = -EINVAL;
 			goto done;
 		}
--- a/src/eap-ttls.c
+++ b/src/eap-ttls.c
@ -1089,7 +1089,7 @@ static bool eap_ttls_settings_load(struct eap_state *eap,
 						struct l_settings *settings,
 						const char *prefix)
 {
-	struct phase2_method *phase2 = l_new(struct phase2_method, 1);
+	struct phase2_method *phase2;
 	const char *phase2_method_name;
 	char setting[72];
 	uint8_t i;
@ -1100,6 +1100,8 @@ static bool eap_ttls_settings_load(struct eap_state *eap,
 	if (!phase2_method_name)
 		return false;

+	phase2 = l_new(struct phase2_method, 1);
+
 	snprintf(setting, sizeof(setting), "%sTTLS-Phase2-", prefix);

 	for (i = 0; tunneled_non_eap_method_ops[i].name; i++) {
--- a/src/eap.c
+++ b/src/eap.c
@ -33,6 +33,7 @@
 #include "src/missing.h"
 #include "src/eap.h"
 #include "src/eap-private.h"
+#include "src/iwd.h"

 static uint32_t default_mtu;
 static struct l_queue *eap_methods;
@ -676,6 +677,12 @@ int eap_unregister_method(struct eap_method *method)
 	return -ENOENT;
 }

+void __eap_set_config(struct l_settings *config)
+{
+	if (!l_settings_get_uint(config, "EAP", "mtu", &default_mtu))
+		default_mtu = 1400; /* on WiFi the real MTU is around 2304 */
+}
+
 static void __eap_method_enable(struct eap_method_desc *start,
 					struct eap_method_desc *stop)
 {
@ -715,7 +722,7 @@ static void __eap_method_disable(struct eap_method_desc *start,
 extern struct eap_method_desc __start___eap[];
 extern struct eap_method_desc __stop___eap[];

-void eap_init(uint32_t mtu)
+int eap_init(void)
 {
 	eap_methods = l_queue_new();
 	__eap_method_enable(__start___eap, __stop___eap);
@ -725,10 +732,10 @@ void eap_init(uint32_t mtu)
 	 * EAP is capable of functioning on lower layers that
 	 *        provide an EAP MTU size of 1020 octets or greater.
 	 */
-	if (mtu == 0)
+	if (default_mtu == 0)
 		default_mtu = 1020;
-	else
-		default_mtu = mtu;
+
+	return 0;
 }

 void eap_exit(void)
@ -736,3 +743,5 @@ void eap_exit(void)
 	__eap_method_disable(__start___eap, __stop___eap);
 	l_queue_destroy(eap_methods, NULL);
 }
+
+IWD_MODULE(eap, eap_init, eap_exit);
--- a/src/eap.h
+++ b/src/eap.h
@ -93,5 +93,7 @@ const char *eap_get_identity(struct eap_state *eap);

 void eap_rx_packet(struct eap_state *eap, const uint8_t *pkt, size_t len);

-void eap_init(uint32_t default_mtu);
+void __eap_set_config(struct l_settings *config);
+
+int eap_init(void);
 void eap_exit(void);
--- a/src/eapol.c
+++ b/src/eapol.c
@ -40,6 +40,7 @@
 #include "src/handshake.h"
 #include "src/watchlist.h"
 #include "src/erp.h"
+#include "src/iwd.h"

 static struct l_queue *state_machines;
 static struct l_queue *preauths;
@ -885,9 +886,9 @@ struct eapol_sm *eapol_sm_new(struct handshake_state *hs)

 void eapol_sm_free(struct eapol_sm *sm)
 {
-	eapol_sm_destroy(sm);
-
 	l_queue_remove(state_machines, sm);
+
+	eapol_sm_destroy(sm);
 }

 void eapol_sm_set_listen_interval(struct eapol_sm *sm, uint16_t interval)
@ -1105,7 +1106,11 @@ static void eapol_handle_ptk_1_of_4(struct eapol_sm *sm,
 	pmkid = handshake_util_find_pmkid_kde(EAPOL_KEY_DATA(ek, sm->mic_len),
 					EAPOL_KEY_DATA_LEN(ek, sm->mic_len));

-	ie_parse_rsne_from_data(own_ie, own_ie[1] + 2, &rsn_info);
+	if (!sm->handshake->wpa_ie) {
+		if (ie_parse_rsne_from_data(own_ie, own_ie[1] + 2,
+						&rsn_info) < 0)
+			goto error_unspecified;
+	}

 	/*
 	 * Require the PMKID KDE whenever we've sent a list of PMKIDs in
@ -1556,7 +1561,8 @@ static void eapol_handle_ptk_3_of_4(struct eapol_sm *sm,
 		const uint8_t *mde = sm->handshake->mde;
 		const uint8_t *fte = sm->handshake->fte;

-		ie_parse_rsne_from_data(rsne, rsne[1] + 2, &ie_info);
+		if (ie_parse_rsne_from_data(rsne, rsne[1] + 2, &ie_info) < 0)
+			goto error_ie_different;

 		if (ie_info.num_pmkids != 1 || memcmp(ie_info.pmkids,
 						sm->handshake->pmk_r1_name, 16))
@ -2705,16 +2711,16 @@ void __eapol_set_config(struct l_settings *config)
 		eapol_4way_handshake_time = 5;
 }

-bool eapol_init()
+int eapol_init(void)
 {
 	state_machines = l_queue_new();
 	preauths = l_queue_new();
 	watchlist_init(&frame_watches, &eapol_frame_watch_ops);

-	return true;
+	return 0;
 }

-bool eapol_exit()
+void eapol_exit(void)
 {
 	if (!l_queue_isempty(state_machines))
 		l_warn("stale eapol state machines found");
@ -2727,6 +2733,6 @@ bool eapol_exit()
 	l_queue_destroy(preauths, preauth_sm_destroy);

 	watchlist_destroy(&frame_watches);
-
-	return true;
 }
+
+IWD_MODULE(eapol, eapol_init, eapol_exit);
--- a/src/eapol.h
+++ b/src/eapol.h
@ -128,5 +128,5 @@ struct preauth_sm *eapol_preauth_start(const uint8_t *aa,
 					eapol_preauth_destroy_func_t destroy);
 void eapol_preauth_cancel(uint32_t ifindex);

-bool eapol_init();
-bool eapol_exit();
+int eapol_init(void);
+void eapol_exit(void);
--- a/src/erp.c
+++ b/src/erp.c
@ -509,8 +509,9 @@ int erp_rx_packet(struct erp_state *erp, const uint8_t *pkt, size_t len)
 	l_put_be16(64, ptr);
 	ptr += 2;

-	hkdf_expand(L_CHECKSUM_SHA256, erp->r_rk, erp->cache->emsk_len,
-			info, ptr - info, erp->rmsk, erp->cache->emsk_len);
+	if (!hkdf_expand(L_CHECKSUM_SHA256, erp->r_rk, erp->cache->emsk_len,
+			info, ptr - info, erp->rmsk, erp->cache->emsk_len))
+		goto eap_failed;

 	return 0;

--- a/src/hotspot.c
+++ b/src/hotspot.c
@ -320,7 +320,7 @@ static struct hs20_config *hs20_config_new(struct l_settings *settings,
 	char **nai_realms = NULL;
 	const char *rc_str;
 	char *name;
-	bool autoconnect = true;
+	bool autoconnect;

 	/* One of HESSID, NAI realms, or Roaming Consortium must be included */
 	hessid_str = l_settings_get_string(settings, "Hotspot", "HESSID");
@ -330,7 +330,9 @@ static struct hs20_config *hs20_config_new(struct l_settings *settings,

 	rc_str = l_settings_get_value(settings, "Hotspot", "RoamingConsortium");