Commit graph

15503 commits

Author SHA1 Message Date
Vamsi Krishna
33c8a10498 Do not select APs found on disabled channels for connection
If a channel list changed event is received after a scan and before
selecting a BSS for connection, a BSS found on a now disabled channel
may get selected for connection. The connect request issued with the BSS
found on a disabled channel is rejected by cfg80211. Filter out the BSSs
found on disabled channels and select from the other BSSs found on
enabled channels to avoid unnecessary connection attempts that are bound
to fail.

The channel list information will be updated by the driver in cases like
country code update, disabling/enabling specific bands, etc. which can
occur between the scan and connection attempt.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-08 16:19:47 +02:00
Vamsi Krishna
aa663baf45 Fix QCA_WLAN_VENDOR_ATTR_ACS_VHT_SEG1_CENTER_CHANNEL NULL check
Correct the check for presence of
QCA_WLAN_VENDOR_ATTR_ACS_VHT_SEG1_CENTER_CHANNEL attribute before using it
while processing acs_result event.

Fixes: 857d94225a ("Extend offloaded ACS QCA vendor command to support VHT")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-08 16:14:24 +02:00
Markus Theil
2ffdf32eb8 tests: Add digestmod for Python 3.8
The digestmod argument also exists in earlier Python versions,
version 3.8 does not set a default argument anymore.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-08 14:57:13 +02:00
Markus Theil
f7b2fe99ea tests: Fix undefined behavior in module tests
Test: wpa_supplicant module tests
../src/utils/utils_module_tests.c:933:7: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-08 14:56:55 +02:00
Jouni Malinen
297d69161b OpenSSL: Fix memory leak in TOD policy validation
Returned policies from X509_get_ext_d2i() need to be freed.

Fixes: 21f1a1e66c ("Report TOD policy")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-01-07 20:40:12 +02:00
Markus Theil
8296ee1805 RSN IBSS: Fix EAPOL TX using control port
This was previously done only in supplicant role, but a similar change
is needed for the authenticator role.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-06 22:33:45 +02:00
Jouni Malinen
09f96acb9d tests: PSK/EAP without nl80211 control port
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-05 21:31:33 +02:00
Jouni Malinen
c52129bed8 nl80211: Allow control port to be disabled with a driver param
This is mainly for testing purposes to allow wpa_supplicant and hostapd
functionality to be tested both with and without using the nl80211
control port which is by default used whenever supported by the driver.
control_port=0 driver parameter will prevent that from happening.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-05 21:31:33 +02:00
Markus Theil
781c5a0624 nl80211: Use control port TX for AP mode
Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-05 21:31:33 +02:00
Markus Theil
d8252a9812 nl80211: Report control port RX events
This allows EAPOL frames to be received over the separate controlled
port once rest of the driver interface is ready for this. By itself,
this commit does not actually change behavior since cfg80211 will not be
delivering these events without them being explicitly requested.

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-05 21:30:41 +02:00
Markus Theil
a79ed06871 Add no_encrypt flag for control port TX
In order to correctly encrypt rekeying frames, wpa_supplicant now checks
if a PTK is currently installed and sets the corresponding encrypt
option for tx_control_port().

Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
2020-01-05 20:34:50 +02:00
Brendan Jackman
144314eaa7 wpa_supplicant: Send EAPOL frames over nl80211 where available
Linux kernel v4.17 added the ability to request sending control port
frames via nl80211 instead of a normal network socket. Doing this
provides the device driver with ordering information between the
control port frames and the installation of keys. This empowers it to
avoid race conditions between, for example, PTK replacement and the
sending of frame 4 of the 4-way rekeying handshake in an RSNA. The
key difference between a TX_CONTROL_PORT and normal socket send is
that the device driver will certainly get any EAPOL frames comprising
a 4-way handshake before it gets the key installation call
for the derived key. By flushing its TX buffers it can then ensure
that no pending EAPOL frames are inadvertently encrypted with a key
that the peer will not yet have installed.

Update the RSN supplicant system to use this new operation for sending
EAPOL-Key frames when the driver reports that this capability is
available; otherwise, fall back to a normal Ethernet TX.

I have tested this on DMG (11ad/ay) devices with an out-of-tree Linux
driver that does not use mac80211. Without this patch I consistently see
PTK rekeying fail if message 4/4 shares a stream with other in-flight
traffic. With this patch, and the driver updated to flush the relevant TX
queue before overwriting a PTK (knowing, now, that if there was a message
4/4 related to the key installation, it has already entered the driver
queue), rekeying is reliable.

There is still data loss surrounding key installation - this problem is
alluded to in IEEE Std 802.11-2016, 12.6.21, where extended Key ID
support is described as the eventual solution. This patch aims to at
least prevent rekeying from totally breaking the association, in a way
that works on kernels as far back as 4.17 (as per Alexander Wetzel
extended Key ID support should be possible on 5.2).

See http://lists.infradead.org/pipermail/hostap/2019-May/040089.html for
a little more context.

Signed-off-by: Brendan Jackman <brendan.jackman@bluwireless.co.uk>
2020-01-05 20:34:15 +02:00
Brendan Jackman
8759e9116a nl80211: Control port over nl80211 helpers
Linux kernel v4.17 added the ability to request sending controlled port
frames (e.g., IEEE 802.1X controlled port EAPOL frames) via nl80211
instead of a normal network socket. Doing this provides the device
driver with ordering information between the control port frames and the
installation of keys. This empowers it to avoid race conditions between,
for example, PTK replacement and the sending of frame 4 of the 4-way
rekeying handshake in an RSNA. The key difference between the specific
control port and normal socket send is that the device driver will
certainly get any EAPOL frames comprising a 4-way handshake before it
gets the key installation call for the derived key. By flushing its TX
buffers it can then ensure that no pending EAPOL frames are
inadvertently encrypted with a key that the peer will not yet have
installed.

Add a CONTROL_PORT flag to the hostap driver API to report driver
capability for using a separate control port for EAPOL frames. This
operation is exactly like an Ethernet send except for the extra ordering
information it provides for device drivers. The nl80211 driver is
updated to support this operation when the device reports support for
NL80211_EXT_FEATURE_CONTROL_PORT_OVER_NL80211. Also add a driver op
tx_control_port() for request a frame to be sent over the controlled
port.

Signed-off-by: Brendan Jackman <brendan.jackman@bluwireless.co.uk>
2020-01-05 19:43:52 +02:00
Jouni Malinen
ccaabeaa03 driver: Remove unused send_ether() driver op
This was used only for FT RRB sending with driver_test.c and
driver_test.c was removed more than five years ago, so there is no point
in continuing to maintain this driver op.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-05 18:32:10 +02:00
Jouni Malinen
754cd71bf4 tests: WPS Application Extension attribute
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-04 23:39:40 +02:00
Bilal Hatipoglu
3d41dd7c50 WPS: Add application extension data to WPS IE
Application Extension attribute is defined in WSC tech spec v2.07 page
104. Allow hostapd to be configured to add this extension into WPS IE in
Beacon and Probe Response frames. The implementation is very similar to
vendor extension.

A new optional entry called "wps_application_ext" is added to hostapd
config file to configure this. It enodes the payload of the Application
Extension attribute in hexdump format.

Signed-off-by: Veli Demirel <veli.demirel@airties.com>
Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
2020-01-04 23:39:30 +02:00
Jouni Malinen
b7bb2c0204 P2P: Move p2p_long_listen into struct wpa_global
This variable is not specific to any P2P group interface and since it
was already used through global->p2p_init_wpa_s, it is cleaner to simply
move this to the global structure so that there is a single variable
instead of per-interface variables and need to pick the correct
interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-04 23:11:28 +02:00
Benjamin Berg
99eb150deb tests: Test p2p_long_listen longer than remain-on-channel
This tests an error, where the p2p_long_listen information from the
wrong device was used internally in wpa_supplicant when using the
separate P2P Device interface.

Signed-off-by: Benjamin Berg <bberg@redhat.com>
2020-01-04 23:07:31 +02:00
Benjamin Berg
9ad3c12dd1 P2P: Always use global p2p_long_listen
The p2p_long_listen value was set on the control wpa_s struct while in a
lot of cases it operated on the p2p struct. Explicitly use the global
p2p_init_wpa_s struct in cases where we might not be operating on it
already.

Without this, simply starting a p2p_listen operation (e.g., using
wpa_cli) will not work properly. As the p2p_long_listen is set on the
controlling interface and wpas_p2p_cancel_remain_on_channel_cb() uses
p2p_init_wpa_s, it would not actually work. This results in
wpa_supplicant stopping listening after the maximum remain-on-channel
time passes when using a separate P2P Device interface.

Signed-off-by: Benjamin Berg <bberg@redhat.com>
2020-01-04 23:07:31 +02:00
Jouni Malinen
e9aa399522 tests: PMF tests with not-protected disconnection using hostapd
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-04 20:41:52 +02:00
Jouni Malinen
9bedf90047 nl80211: Use monitor interface for sending no-encrypt test frames
Since NL80211_CMD_FRAME does not allow encryption to be disabled for the
frame, add a monitor interface temporarily for cases where this type of
no-encrypt frames are to be sent. The temporary monitor interface is
removed immediately after sending the frame.

This is testing functionality (only in CONFIG_TESTING_OPTIONS=y builds)
that is used for PMF testing where the AP can use this to inject an
unprotected Robust Management frame (mainly, Deauthentication or
Disassociation frame) even in cases where PMF has been negotiated for
the association.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-04 20:23:05 +02:00
Jouni Malinen
e62a1cbaf1 tests: Detect tshark regression in wpas_mesh_gate_forwarding
Skip this test case if the used tshark version has regression in mesh
control field parsing:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=15521

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-04 18:08:03 +02:00
Jouni Malinen
dad2f3253c tests: Initial GTK/IGTK RSC setting
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-04 13:07:47 +02:00
Jouni Malinen
8d84c75f7c Allow testing override for GTK/IGTK RSC from AP to STA
The new hostapd gtk_rsc_override and igtk_rsc_override configuration
parameters can be used to set an override value for the RSC that the AP
advertises for STAs for GTK/IGTK. The contents of those parameters is a
hexdump of the RSC in little endian byte order.

This functionality is available only in CONFIG_TESTING_OPTIONS=y builds.
This can be used to verify that stations implement initial RSC
configuration correctly for GTK/ and IGTK.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-04 13:05:26 +02:00
Jouni Malinen
c1714ec08c tests: ROAM command failure cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 18:09:57 +02:00
Jouni Malinen
af670cb418 SME: Postpone current BSSID clearing until IEs are prepared
sme_send_authentication() could fail before actually requesting the
driver to authenticate with a new AP. This could happen after
wpa_s->bssid got cleared even though in such a case, the old association
is maintained and still valid. This can result in unexpected behavior
since wpa_s->bssid would not match the current BSSID anymore.

Fix this by postponing clearing of wpa_s->bssid until the IE preparation
has been completed successfully.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 18:06:01 +02:00
Jouni Malinen
ecd54bace4 tests: DFS with RRM
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 16:00:02 +02:00
Ben Greear
ff77431180 nl80211: Don't set offchan-OK flag if doing on-channel frame in AP mode
I saw a case where the kernel's cfg80211 rejected hostapd's attempt to
send a neighbor report response because nl80211 flagged the frame as
offchannel-OK, but kernel rejects because channel was 100 (DFS) and so
kernel failed thinking it was constrained by DFS/CAC requirements that
do not allow the operating channel to be left (at least in FCC).

Don't set the packet as off-channel OK if we are transmitting on the
current operating channel of an AP to avoid such issues with
transmission of Action frames.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2020-01-03 16:00:02 +02:00
Jouni Malinen
91588eeb69 tests: Remove allow_failure from DFS test cases
This functionality has been available in mac80211_hwsim for years, so
there is no need to maintain this old workaround.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 15:41:54 +02:00
Jouni Malinen
d5798e43f5 nl80211: Use current command for NL80211_CMD_REGISTER_ACTION
This was renamed to NL80211_CMD_REGISTER_FRAME long time ago.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 15:26:31 +02:00
Jouni Malinen
81ae8820a6 nl80211: Rename send_action_cookie to send_frame_cookie
This is to match the NL80211_CMD_ACTION renaming to NL80211_CMD_FRAME
that happened long time ago. This command can be used with any IEEE
802.11 frame and it should not be implied to be limited to Action
frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 15:23:49 +02:00
Jouni Malinen
5ad372cc3f nl80211: Clean up nl80211_send_frame_cmd() callers
Replace a separate cookie_out pointer argument with save_cookie boolean
since drv->send_action_cookie is the only longer term storage place for
the cookies. Merge all nl80211_send_frame_cmd() callers within
wpa_driver_nl80211_send_mlme() to use a single shared call to simplify
the function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 15:18:46 +02:00
Jouni Malinen
0dae4354f7 nl80211: Get rid of separate wpa_driver_nl80211_send_frame()
Merge this function into wpa_driver_nl80211_send_mlme() that is now the
only caller for the previously shared helper function. This is a step
towards cleaning up the overly complex code path for sending Management
frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 15:00:15 +02:00
Jouni Malinen
e695927862 driver: Remove unused send_frame() driver op
All the previous users have now been converted to using send_mlme() so
this unused send_frame() callback can be removed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:56:12 +02:00
Jouni Malinen
ce01804872 Convert the only remaining send_frame() users to send_mlme()
Since send_mlme() now has support for the no_encrypt argument it is
possible to get rid of the remaining send_frame() uses.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:53:42 +02:00
Jouni Malinen
27cc06d073 nl80211: Support no_encrypt=1 with send_mlme()
This allows send_mlme() to be used to replace send_frame() for the test
cases where unencrypted Deauthentication/Disassociation frames need to
be sent out even when using PMF for the association. This is currently
supported only when monitor interface is used for AP mode management
frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:53:42 +02:00
Jouni Malinen
665a3007fb driver: Add no_encrypt argument to send_mlme()
This is in preparation of being able to remove the separate send_frame()
callback.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:53:32 +02:00
Jouni Malinen
3710027463 Make hostapd_drv_send_mlme() more generic
Merge hostapd_drv_send_mlme_csa() functionality into
hostapd_drv_send_mlme() to get a single driver ops handler function for
hostapd. In addition, add a new no_encrypt parameter in preparation for
functionality that is needed to get rid of the separate send_frame()
driver op.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:34:37 +02:00
Jouni Malinen
b3525dc172 P2P Manager: Use send_mlme() instead of send_frame() for Deauthentication
send_frame() is documented to be used for "testing use only" and as
such, it should not have used here for a normal production
functionality. Replace this with use of send_mlme() which is already
used for sending Deauthentication frames in other cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 13:22:32 +02:00
Jouni Malinen
9474654752 IBSS RSN: Use send_mlme() instead of send_frame() for Authentication frames
send_frame() is documented to be used for "testing use only" and as
such, it should not have used here for a normal production
functionality. Replace this with use of send_mlme() which is already
used for sending Authentication frames in number of other cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 12:21:36 +02:00
Jouni Malinen
14cc3d10ca nl80211: Simplify hapd_send_eapol() with monitor interface
Call nl80211_send_monitor() directly instead of going through
wpa_driver_nl80211_send_frame() for the case where monitor interface is
used for AP mode management purposes. drv->use_monitor has to be 1 in
this code path, so wpa_driver_nl80211_send_frame() was calling
nl80211_send_monitor() unconditionally for this code path and that extra
function call can be removed here to simplify the implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-03 12:08:58 +02:00
Jouni Malinen
16a2667203 nl80211: Don't accept interrupted dump responses
Netlink dump message may be interrupted if an internal inconsistency is
detected in the kernel code. This can happen, e.g., if a Beacon frame
from the current AP is received while NL80211_CMD_GET_SCAN is used to
fetch scan results. Previously, such cases would end up not reporting an
error and that could result in processing partial data.

Modify this by detecting this special interruption case and converting
it to an error. For the NL80211_CMD_GET_SCAN, try again up to 10 times
to get the full response. For other commands (which are not yet known to
fail in similar manner frequently), report an error to the caller.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 23:34:53 +02:00
Jouni Malinen
696acdf333 tests: Make ap_hs20_roaming_consortiums_match more robust
Explicitly clear cfg80211 scan cache to avoid issues with old BSS
entries from previous test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 22:54:29 +02:00
Jouni Malinen
82e64f9b90 tests: Roam between two APs based on driver signal level override
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 20:38:04 +02:00
Jouni Malinen
6c57019376 Test functionality to override driver reported signal levels
"SET driver_signal_override <BSSID> [<si_signal< <si_avg_signal>
<si_avg_beacon_signal> <si_noise> <scan_level>]" command can now be used
to request wpa_supplicant to override driver reported signal levels for
signal_poll and scan results. This can be used to test roaming behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 20:34:39 +02:00
Jouni Malinen
c8eb7fe66c Fix signal_poll based roaming skip
Fix a rebasing issue in the signal difference calculation. The older
patch was not updated to use the new cur_level local variable to get the
possibly updated signal level for the current BSS.

Fixes: a2c1bebd43 ("Improve roaming logic")
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 20:34:39 +02:00
Roy Marples
a8b00423ea BSD: Use struct ip rather than struct iphdr
As we define __FAVOR_BSD use the BSD IP header.
Compile tested on NetBSD, DragonFlyBSD, and Linux.

Signed-off-by: Roy Marples <roy@marples.name>
2020-01-02 19:17:10 +02:00
Jouni Malinen
3ea58a0548 nl80211: Fix libnl error string fetching
libnl functions return a library specific error value in libnl 2.0 and
newer. errno is not necessarily valid in all error cases and strerror()
for the returned value is not valid either.

Use nl_geterror() to get the correct error string from the returned
error code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 18:05:38 +02:00
Jouni Malinen
139f7ab311 mac80211_linux: Fix libnl error string fetching
libnl functions return a library specific error value. errno is not
necessarily valid in all error cases and strerror() for the returned
value is not valid either.

Use nl_geterror() to get the correct error string from the returned
error code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 18:05:38 +02:00
Jouni Malinen
25ebd538a4 Drop support for libnl 1.1
This simplifies code by not having to maintain and come up with new
backwards compatibility wrappers for a library release from 12 years
ago.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-02 18:05:38 +02:00