Commit graph

12032 commits

Author SHA1 Message Date
Sunil Dutt
444930e5b6 Define an attribute to do a specific BSSID QCA vendor scan
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-11 21:36:13 +02:00
Sunil Dutt
cea761472a Add QCA vendor command definitions for IDs 61-73
This commit documents the QCA vendor commands 61-73 and the
corresponding definitions of the attributes. This set of commands were
previously reserved for QCA without documentation here.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-11 21:32:20 +02:00
Sunil Dutt
cb0cc6efa6 Define QCA Beacon miss threshold attributes for 2.4 and 5 GHz bands
These thresholds values indicate how many Beacon frames can be missed
before before disconnecting from the AP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-11 21:11:41 +02:00
Jouni Malinen
c313c8a5d8 Fix QCA vendor command values for SAR power limits
Commit c79238b6a4 ('Define a QCA vendor
command to configure SAR Power limits') had a mismatch between the enum
qca_vendor_attr_sar_limits_selections documentations and actual values.
The BDF SAR profiles are 0-based, so rename the enum values and reorder
the values keep the actual values more convenient. While this changes
values over the interface, this is justifiable since the new command was
introduced only recently and it had not been released in any driver.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-11 21:08:25 +02:00
Jouni Malinen
d283f7aeac tests: Increase timeout in wpas_mesh_password_mismatch
There has been number of failures from this test case due to the
MESH-SAE-AUTH-FAILURE event from dev[0] and dev[1] arriving couple of
seconds after the one second timeout after the dev[2] events. This does
not look like a real issue, so increase the timeout to five seconds to
make this less likely to show false failures during testing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 20:08:39 +02:00
Jouni Malinen
58a5c4ae77 tests: Verify wpa_state after INTERWORKING_SELECT
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 19:51:09 +02:00
Jouni Malinen
15aa804285 tests: Make scan_trigger_failure more informative
If wpa_state is left to SCANNING by a previously executed test case,
scan_trigger_failure will fail. Instead of waiting for that failure,
check for wpa_state at the beginning of the test case and report a more
helpful error message if the test case would fail due to a previously
executed test case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 18:41:04 +02:00
Jouni Malinen
a5c723adcf Interworking: Clear SCANNING state if no network selected
Commit 192ad3d730 ('Interworking: Clear
SCANNING state if no match found') did this for the case where no
network matched credentials, but left the SCANNING state in place if
there were a match, but automatic connection was not enabled. Extend
this to cover the case where INTERWORKING_SELECT is not followed by a
connection attempt so that wpa_state is not left indefinitely to
SCANNING.

This fixes a hwsim test case failure in the following sequence:
ap_anqp_sharing scan_trigger_failure

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 18:39:12 +02:00
Jouni Malinen
a1836de64b SME: Fix IBSS setup after shared key/FT/FILS association
wpa_s->sme.auth_alg could have been left to a previously value other
than WPA_AUTH_ALG_OPEN if IBSS network is used after an association that
used shared key, FT, or FILS authentication algorithm. This could result
in the IBSS setup failing due to incorrect authentication processing
steps.

Fix this by setting wpa_s->sme.auth_alg = WPA_AUTH_ALG_OPEN whenever
starting an IBSS (or mesh, for that matter) network.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 18:23:13 +02:00
Amit Purwar
f49c852b5e P2P: Fix a theoretical out of bounds read in wpas_p2p_select_go_freq()
Commit 8e84921efe ('P2P: Support driver
preferred freq list for Autonomous GO case') introduced this loop to go
through preferred channel list from the driver. The loop does bounds
checking of the index only after having read a value from the array.
That could in theory read one entry beyond the end of the stack buffer.

Fix this by moving the index variable check to be done before using it
to fetch a value from the array.

This code is used only if wpa_supplicant is build with
CONFIG_DRIVER_NL80211_QCA=y and if the driver supports the vendor
extension (get_pref_freq_list() driver op). In addition, the driver
would need to return more than P2P_MAX_PREF_CHANNELS (= 100) preferred
channels for this to actually be able to read beyond the buffer. No
driver is known to return that many preferred channels, so this does not
seem to be reachable in practice.

Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
2016-12-11 12:45:08 +02:00
Amit Purwar
944d485889 P2P: Fix a theoretical out of bounds read in wpas_p2p_setup_freqs()
Commit 370017d968 ('P2P: Use preferred
frequency list from the local driver') introduced this loop to go
through preferred channel list from the driver. The loop does bounds
checking of the index only after having read a value from the array.
That could in theory read one entry beyond the end of the stack buffer.

Fix this by moving the index variable check to be done before using it
to fetch a value from the array.

This code is used only if wpa_supplicant is build with
CONFIG_DRIVER_NL80211_QCA=y and if the driver supports the vendor
extension (get_pref_freq_list() driver op). In addition, the driver
would need to return more than P2P_MAX_PREF_CHANNELS (= 100) preferred
channels for this to actually be able to read beyond the buffer. No
driver is known to return that many preferred channels, so this does not
seem to be reachable in practice.

Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
2016-12-11 12:45:08 +02:00
Johannes Berg
c7c4600260 tests: Add kernel BSS leak tests
Add two tests that check if the kernel BSS leak (when we get a deauth or
otherwise abandon an association attempt) is present in the kernel. This
is for a long-standing cfg80211/mac80211 issue that got fixed with the
kernel commit 'cfg80211/mac80211: fix BSS leaks when abandoning assoc
attempts'.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2016-12-11 12:45:08 +02:00
Jouni Malinen
52358b08f5 tests: P2P device discovery and peer changing device name
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 12:45:08 +02:00
Mayank Haarit
0a6c9dc700 P2P: Send P2P-DEVICE-FOUND event on peer changing device name
This is to handle the case when peer changes device name and same needs
to be updated to upper layers by P2P-DEVICE-FOUND event. It is similar
to the case when a peer changes wfd_subelems and P2P-DEVICE-FOUND event
goes to upper layers.

Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
2016-12-11 12:45:08 +02:00
Jouni Malinen
71676559ca tests: Peer disabling Wi-Fi Display advertisement
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 12:45:08 +02:00
Mayank Haarit
9a431d4932 WFD: Clear wfd_subelems when P2P peer stops sending them
When a peer device stops sending wfd_subelems, wpa_supplicant should
remove dev->info.wfd_subelems from peer's properties. Previously,
wpa_supplicant left the previously learned dev->info.wfd_subelems in
place whenever the new message did not include wfd_subelems.

In addition to fixing the clearing of the old wfd_subelems, this
resolves another issue. As "wfd_changed" variable becomes true even when
peer stops sending wfd_subelems and dev->info.wfd_subelems has an old
value, a new P2P-DEVICE-FOUND event notification was sent again and
again to upper layers whenever a new discovery response was received
from the peer that previously advertised WFD subelements.

Signed-off-by: Mayank Haarit <mayank.h@samsung.com>
2016-12-11 12:45:08 +02:00
Jouni Malinen
0ef0921a1b tests: Ongoing scan and FLUSH
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 12:45:08 +02:00
Jouni Malinen
6e374bd44d Ignore scan results from ongoing scan when FLUSH command is issued
This makes wpa_supplicant behavior more consistent with FLUSH command to
clear all state. Previously, it was possible for an ongoing scan to be
aborted when the FLUSH command is issued and the scan results from that
aborted scan would still be processed and that would update the BSS
table which was supposed to cleared by the FLUSH command.

This could result in hwsim test case failures due to unexpected BSS
table entries being present after the FLUSH command.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-11 12:45:08 +02:00
Jouni Malinen
79124c7ba1 tests: Scan and only_new=1 multiple times
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-10 17:04:08 +02:00
Jouni Malinen
71ac934530 Make update_idx available in BSS control interface command
This can be used to perform more accurate tests on BSS entry updates.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-10 17:03:24 +02:00
Jouni Malinen
a1a60635a8 tests: Make p2ps_wildcard_p2ps more robust
The final check in this test case was issuing a new P2P_FIND command
immediately after the P2P_SERVICE_DEL command on the peer. It looked
like it was possible for the scan timing to go in a sequence that made
the new P2P_FIND operation eventually accept a cfg80211 BSS entry from
the very end of the previous P2P_FIND. This resulted in unexpected
P2P-DEVICE-FOUND event even though there was no new Probe Response frame
from the peer at that point in time.

Make this less likely to show unrelated failures by waiting a bit before
starting a new P2P_FIND operation after having changes peer
configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-10 00:33:33 +02:00
Jouni Malinen
49aa88bb5e P2P: Clear PEER_WAITING_RESPONSE on GO Negotiation success
Previously, this flag was cleared only in case of failed GO Negotiation.
That could leave the flag set for a peer and if a new group formation
was performed with the same peer before the entry expired, there was
increased risk of getting stuck in a state where neither peer replied to
a GO Negotiation Request frame if a GO Negotiation Response frame with
Status 1 was dropped.

The error sequence could happen in the go_neg_with_bss_connected test
case when timing was suitable to make the second GO negotiation drop a
pending TX Action frame if the GO Negotiation Response with Status 1 was
scheduled for transmission during a P2P scan and P2P_CONNECT was issued
before that scan got aborted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-10 00:16:33 +02:00
Jeff Johnson
c79238b6a4 Define a QCA vendor command to configure SAR Power limits
There is a regulatory requirement for Specific Absorption Rate (SAR)
whereby the device transmit power is reduced when it is determined that
the device is in close proximity to the body. Implement a vendor command
interface to allow a userspace entity to dynamically control the SAR
power limits.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-08 18:56:02 +02:00
Jouni Malinen
0f5eb69f85 Use eloop timeout for post-EAP-Failure wait before disconnection
Previously, os_sleep() was used to block the hostapd (or wpa_supplicant
AP/P2P GO mode) processing between sending out EAP-Failure and
disconnecting the STA. This is not ideal for couple of reasons: it
blocks all other parallel operations in the process and it leaves a
window during which the station might deauthenticate and the AP would
have no option for reacting to that before forcing out its own
Deauthentication frame which could go out after the STA has already
started new connection attempt.

Improve this design by scheduling an eloop timeout of 10 ms instead of
the os_sleep() call and perform the delayed operations from the eloop
callback function. This eloop timeout is cancelled if the STA
disconnects or initiates a new connection attempt before the 10 ms time
is reached. This gets rid of the confusing extra Deauthentication frame
in cases where the STA reacts to EAP-Failure by an immediate
deauthentication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-08 18:56:02 +02:00
Jouni Malinen
29bf636e12 tests: WEP to WPA2-PSK configuration change in hostapd
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-05 21:30:17 +02:00
Jouni Malinen
20b1a9e238 Allow hostapd wep_key# parameters to be cleared
Setting wep_key# to an empty string will now clear a previously
configured key. This is needed to be able to change WEP configured AP to
using WPA/WPA2 through the hostapd control interface SET commands.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-05 21:28:50 +02:00
Jouni Malinen
609be6f7c0 tests: P2P group formation with VHT 80 MHz
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-05 21:14:55 +02:00
Jouni Malinen
813ebc51bd tests: Check data connectivity after supplicant triggered EAP reauth
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-05 21:01:43 +02:00
Jouni Malinen
5ec3d510e1 wpa_passphrase: Reject invalid passphrase
Reject a passphrase with control characters instead of trying to write
out an example network configuration block with such control characters
included.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-05 15:36:56 +02:00
Jouni Malinen
d1ea80361b tests: AP with open mode and external association
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-05 12:16:12 +02:00
Ningyuan Wang
ed0a4ddc22 nl80211: Update drv->ssid on connect/associate event based on BSS data
On a connect nl80211 event, wpa_supplicant uses
wpa_driver_nl80211_get_ssid() to fetch the current associated SSID to
compare to existing configurations. However,
wpa_driver_nl80211_get_ssid() uses drv->ssid, which is a cached value.
It is set when we explicitly initial a connect request using
wpa_supplicant. If the association was initiated outside of
wpa_supplicant, we need another way to populate drv->ssid. This commit
sets drv->ssid based on cfg80211 BSS information on connect/associate
nl80211 events.

Signed-off-by: Ningyuan Wang <nywang@google.com>
2016-12-05 12:08:46 +02:00
Jouni Malinen
9f346fadc8 nl80211: Fix scan_state update in no pending scan state
Commit adcd7c4b0b ('nl80211: Support
vendor scan together with normal scan') made the drv->scan_state updates
for NL80211_CMD_NEW_SCAN_RESULTS and NL80211_CMD_SCAN_ABORTED
conditional on drv->last_scan_cmd being NL80211_CMD_TRIGGER_SCAN. This
missed the part about the possibility of last_scan_cmd == 0 and an
externally started cfg80211 scan is ending. This could leave
drv->scan_state into SCAN_STARTED state even after the scan was
completed. Consequently, hwsim test cases could get stuck in reset()
handler waiting for scan to terminate.

Fix this by updating drv->scan_state also in drv->last_scan_cmd == 0
case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-05 11:48:26 +02:00
Michael Braun
80fe420ab2 tests: Verify multicast_to_unicast operation
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-12-04 21:42:46 +02:00
Michael Braun
34f7c699a6 Add multicast to unicast support
This adds support for nl80211 NL80211_CMD_SET_MULTICAST_TO_UNICAST
command.

By setting the new hostapd configuration option multicast_to_unicast=1,
hostapd configures this AP to perform multicast to unicast conversion.

When enabled, all multicast packets with ethertype ARP, IPv4, or IPv6
(possibly within an 802.1Q header) will be sent out to each station once
with the destination (multicast) MAC address replaced by the station's
MAC address. Note that this may break certain expectations of the
receiver, e.g., the ability to drop unicast IP packets encapsulated in
multicast L2 frames, or the ability to not send destination unreachable
messages in such cases.

This also does not implement Directed Multicast Service (DMS).

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2016-12-04 21:00:06 +02:00
Jouni Malinen
5f2c0a22a9 Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2016-12-02.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-04 20:50:07 +02:00
Sam Tannous
08032c7418 Remove inactivity timeout for wired interfaces
We should unconditionally remove inactivity timers for wired network
cases. This commit checks for this after a new station association:

   hapd->iface->drv_flags & WPA_DRIVER_FLAGS_WIRED

and then cancels the timeout and does not register a new one.

It prints out a debug message like this:

1476740180.276286: IEEE 802.1X: 00:02:00:00:00:07 CTRL_DIR entering
state FORCE_BOTH
1476740180.276295: hostapd_new_assoc_sta: canceled wired ap_handle_timer
timeout for 00:02:00:00:00:07

This was tested on a debian jessie amd64 system with a configured 120
second inactivity timer and the session did not timeout.

Signed-off-by: Sam Tannous <stannous@cumulusnetworks.com>
2016-12-04 20:38:45 +02:00
Arik Nemtsov
57f93d6889 Defer scans while PNO is in progress instead of skipping them
Skipping the scan altogether will hurt auto-reconnect. Also move the PNO
check down since the scan might be canceled for other reasons before we
defer it.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
2016-12-04 20:27:06 +02:00
Jouni Malinen
a1fce3911f nl80211: Optimize memory use in nl80211_get_assoc_freq()
Do not use the generic bss_info_handler() design to fetch all scan
results into temporary memory buffer. Instead, use a separate BSS info
handler that fetches the requested information without fully parsing the
BSS entries and without allocating any memory for collecting all the
results.

This is also simplifying bss_info_handler() and nl80211_parse_bss_info()
design by getting rid of the special case that was used only for
nl80211_get_assoc_freq() and not normal scan result fetching.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 22:37:41 +02:00
Jouni Malinen
da2c284169 nl80211: Reduce nl80211_dump_scan() memory need
Instead of fetching all scan results to a temporary buffer, debug print
scan result dump directly from the message handler function one BSS at a
time.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 22:14:04 +02:00
Jouni Malinen
b72a01bc5a nl80211: Split bss_info_handler() into a separate parser function
This allows a single scan result to be parsed at a time. This is a step
towards optimizing scan result fetching without having to allocate
memory for all entries at the same time.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 19:36:24 +02:00
Jouni Malinen
cfadab269f nl80211: Move duplicate scan result removal to bss.c
The way the removal of duplicated (one per frequency) BSS entries in the
cfg80211 scan results were removed in driver_nl80211_scan.c
bss_info_handler() depended on having the full scan results available to
allow iteration through the other entries. This is problematic for the
goal of being able to optimize memory allocations for scan result
fetching in a manner that would not build the full result buffer in
memory.

Move this duplicate removal into bss.c since it has sufficient
information available for doing the same determination of which one of
two BSS entries is more current.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 19:26:47 +02:00
Jouni Malinen
2a1cf26ecf nl80211: Add more debug details to duplicate scan entry removal
This makes it easier to understand which cfg80211 entry got removed as
obsolete duplicate.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:59:32 +02:00
Jouni Malinen
27b698338f tests: Scanning and AP changing channels
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:53:36 +02:00
Jouni Malinen
865081c307 privsep: Support frequency list for scan requests
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:27:16 +02:00
Jouni Malinen
da818ee5e9 privsep: Support multiple scan SSIDs
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:17:28 +02:00
Jouni Malinen
002b504d19 privsep: Coding style cleanup for struct definitions
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:06:03 +02:00
Jouni Malinen
d3c43e5855 privsep: Fix scan result fetching with Beacon frame IEs
wpa_priv did not yet support Beacon frame IEs (res->beacon_ie_len) which
resulted in invalid scan data being accepted in driver_privsep.c. Add
support for res->beacon_ie_len and also fix the validation step to take
this new variable length field into account.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 18:02:49 +02:00
Jouni Malinen
0771e912ae wpa_priv: Document reduced functionality
wpa_priv has never really been fully up-to-date with the wpa_supplicant
driver interface extensions. This does not seem like something that
would change in the future either, so document this reduced
functionality as a potential drawback.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:49:37 +02:00
Jouni Malinen
6d97561dcd wpa_priv: Handler driver global_deinit() on termination path
This avoids a theoretical resource leak on exit path if wpa_priv is
killed while there is a wpa_supplicant process using it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:46:08 +02:00
Jouni Malinen
ce0f899a3d wpa_priv: Explicitly clear padding in message structures
This avoids some valgrind warnings about use of uninitialized memory in
cases where a struct may have padding octets between the fields.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-03 17:46:08 +02:00