Avoid potential race condition in ap_cipher_tkip_countermeasures_ap by
sending the first test frame only after the AP has completed processing
the 4-way handshake and also wait a bit to allow the group key handshake
to be completed.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
If a tests hits a WARN_ON_ONCE then the retriggering will make it appear
to pass, since the warning will not happen again. Make this more
reliable by resetting the states at the beginning of each test.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The kernel has an asynchronous work to enable TX, which hasn't always
run by the time we get to TX tests. Do a sysfs read from the carrier
file before TX, on newer kernels this synchronises the needed state.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
It looks like the lifetime_in_memory test cases can hit a read failure
(Errno 5 - Input/output error) every now and then, so skip memory areas
that report that, but go through all readable process memory.
Signed-off-by: Jouni Malinen <j@w1.fi>
There are different CHAN_SWITCH flows for DFS and non-DFS channels.
Non-DFS one saves previous BW value in iface->conf, but DFS flow
replaces it with a new user requested value. Setting a non-DFS channel
after a DFS one with BW = 160 would have resulted in a mismatch between
the saved BW and vht_capab (if VHT160 was not included by default). This
would have led to a check fail in the hostapd_set_freq_params()
function.
Signed-off-by: Dmitrijs Martinovs <dmartinovs@maxlinear.com>
Wait for AP/GO to complete processing before taking the next step in a
test instead of waiting just for STA. This avoids race conditions with
UML time-travel.
Signed-off-by: Jouni Malinen <j@w1.fi>
The remaining lifetime of the PMKSA entry is decreasing, so need to
allow it to differ between the old and new entries.
Signed-off-by: Jouni Malinen <j@w1.fi>
Avoid race condition with TX status reporting for the broadcast
Deauthentication frame. This could be delivered after the SET command
for ext_mgmt_frame_handled=1 and as such, could result in an
MGMT-TX-STATUS event that would confuse the next step in the test.
Signed-off-by: Jouni Malinen <j@w1.fi>
Wait for the externally triggered scan to actually start before issuing
the own scan command to avoid a race condition with UML time-travel.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not leave dev[0] in state where it is waiting for
NL80211_CMD_ASSOCIATE to complete since that might deliver an
ASSOC_TIMED_OUT event to the next test case.
Signed-off-by: Jouni Malinen <j@w1.fi>
It is possible for the start_listen() callback to be called to request
the driver to start a driver operation and stop_listen() called
immediately after that (e.g., due to a request to transmit a P2P Public
Action frame) before the driver has had time to start ROC and send an
event to notify of that. Such a sequence could result in
p2p->pending_listen_freq being left to a nonzero value without getting a
call to p2p_listen_cb() to clear it. This would stop an ongoing P2P
listen operation since no following p2p_listen() call would start the
listen due to the pending command being assumed to be in effect.
Fix this by detecting this particular sequence and clearing
p2p->pending_listen_freq.
This was found with the p2p_listen_and_offchannel_tx test case with the
new kernel scheduled and UML time-travel.
Signed-off-by: Jouni Malinen <j@w1.fi>
This test case has a race condition between the first and second
initiated DPP exchange. New kernel scheduling with UML time-travel is
making the first exchange complete before the first one can be started.
Making this fully robust would likely need ext_mgmt_frame_handling=1 and
more complex test script, but as an initial workaround, split URI
parsing from dev[2] to happen before dev[1] is started so that only a
single DPP_AUTH_INIT command is needed during the race window.
In addition, detect the race condition and SKIP the test instead of
reporting FAIL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Wait for hostapd to complete processing before taking the next step in a
test instead of waiting just for wpa_supplicant. This avoids race
conditions with UML time-travel.
Signed-off-by: Jouni Malinen <j@w1.fi>
Even though the radio work has started here, kernel might not have
started ROC (i.e., the REMAIN_ON_CHANNEL event has not yet been
received). Wait a bit to increase likelihood of everything being ready
for the following DPP operation.
Signed-off-by: Jouni Malinen <j@w1.fi>
At least with UML time-travel, it is possible for the response frame to
be received before the TX status of the request is delivered. Such a
sequence resulted in run_req_beacon() dropping the response event and
the following step failing due to a missing event. Avoid this by caching
the received response in run_req_beacon() and returning them to the
caller.
Signed-off-by: Jouni Malinen <j@w1.fi>
Wait some time before requesting disconnection to allow hostapd to
complete 4-way handshake processing. Wait some time after disconnection
has been completed on the STA before trying to use SAE again with the AP
so that hostapd has a chance to complete disconnection with UML
time-travel.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow doing X BSS transition management query calls before falling back
to scan.
Example format to do 4 BTM queries before attempting a scan:
bgscan="simple:30:-65:300:4"
Signed-off-by: Ben Greear <greearb@candelatech.com>
With changes to optimize scan for specific BSSID, there arises a
scenario where in nl80211_trigger_scan() is called with a scan
randomization enabled. A combination of NL80211_ATTR_MAC for BSSID and
scan randomization, which uses NL80211_ATTR_MAC for a different purpose,
results in invalid error for the scan request. To fix the issue use
attribute NL80211_ATTR_BSSID instead of NL80211_ATTR_MAC.
NL80211_ATTR_BSSID was introduced in kernel commit 2fa436b3a2a7
("nl80211: Use different attrs for BSSID and random MAC addr in scan
req") in 2016. Prior to that, only NL80211_ATTR_MAC could be used for
specifying the target BSSID. For backwards compatibility, add the
NL80211_ATTR_MAC attribute as well when not using a random MAC address.
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
The underlying driver can reject only specific links in an association
request. In that case we will only ignore the corresponding BSS. Add a
test for this flow by simulating an association failure on the second
link specifically.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Test ML association, automatic link discovery using ML probe requests
and marking BSSs as failed after an ML association failure, if the
corresponding link also rejected the association.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Also check that we can discover BSSs requests using ML probe requests.
Note that this requires a new enough mac80211 which parses the ML probe
request and reports the contained BSSs.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
All the station flags other than WPA_STA_SHORT_PREAMBLE are relevant
only for the MLD station and not to the link stations (as these flags
are related to the MLD state and not the link state).
As for the WPA_STA_SHORT_PREAMBLE, since the station is an EHT
station, it must have short preamble.
Thus, do not propagate the flags change for link stations to the driver.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
On the default configuration if MBO only is enabled then build breaks as GAS
is not selected, if other features that auto-enable GAS are selected
then it works.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Add additional check for 6 GHz operating class. Otherwise this results
in setting incorrect segment 0 index for 5 GHz 40 MHz channel 157-161,
which has the same center segment 0 index 159 as 6 GHz 320 MHz expected
channel.
Fixes: 085a3fc76e ("EHT: Add 320 channel width support")
Signed-off-by: Mikelis Vuls <mvuls@maxlinear.com>
Add a new QCA subcommand QCA_NL80211_VENDOR_SUBCMD_REGULATORY_TPC_INFO
and related attributes qca_wlan_vendor_attr_tpc_links,
qca_wlan_vendor_attr_tpc definition to query transmit power information
on STA interface from the driver for a connected AP.
The information includes regulatory max transmit power limit, AP local
power constraint advertised from AP's Beacon and Probe Response frames.
For PSD power mode, the information includes PSD power levels for each
subchannel of operating bandwidth. The information is driver calculated
power limits based on current regulatory domain, AP local power
constraint and other IEs. The information will be set to target. Target
will decide final TX power based on this and chip specific power
conformance test limits (CTL), and SAR limits.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
For AP MLD case, HT-scan and ACS happens per link. To determine the
correct link, link id is required.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
For a memory constrained system, it may be more important to reduce
binary size than include support for these capabilities.
By default this is enabled.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
For a memory constrained system, it may be more important to reduce
binary size than include support for these capabilities.
By default this is enabled.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Removing radio measurements and supported operating class indication
might be needed to reduce binary size for a memory constrained system
that does not need more advanced features. However, removing these is
not recommended since they can help the AP manage the network and STA
steering.
By default this functionality is enabled.
Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Beacon hinting is a feature that can temporarily change the regulatory
rule flags on the channel where the radio hears the beacon. Add a new
event CTRL-EVENT-REGDOM-BEACON-HINT to notify the wpa_supplicant user
about an important update to the regulatory rules including which
frequencies are impacted, new power limit, and new rule flags.
Signed-off-by: Jun Yu <junyuu@chromium.org>
Do not allow offchannel operation for action frame transmission if
no frequency is specified, as this doesn't make sense.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
The wpa_auth_callbacks for mesh was missing a for_each_sta
implementation. This is an issue with pmksa cache, as when a cache entry
expires the for_each_sta callback is called in order to clear the pmksa
reference for all sta that was using this entry. Not having a
for_each_sta callback will prevent this cleanup to happen then a sta
could still use this pmksa entry even after it has been freed.
This used after free was not a problem up until recently where
dpp_pkhash is now stored in pmksa entry and retreived later on causing
crash with below backtrace:
_wpa_snprintf_hex src/utils/common.c:326
wpa_snprintf_hex src/utils/common.c:348
hostapd_ctrl_iface_sta_mib src/ap/ctrl_iface_ap.c:542
hostapd_ctrl_iface_sta_mib src/ap/ctrl_iface_ap.c:542
hostapd_ctrl_iface_sta_mib src/ap/ctrl_iface_ap.c:600
hostapd_ctrl_iface_sta src/ap/ctrl_iface_ap.c:615
wpa_supplicant_ctrl_iface_process src/wpa_supplicant/ctrl_iface.c:12741
wpa_supplicant_global_ctrl_iface_receive src/wpa_supplicant/ctrl_iface_unix.c:1141
eloop_sock_table_dispatch src/utils/eloop.c:625
eloop_run src/utils/eloop.c:1238
wpa_supplicant_run src/wpa_supplicant/wpa_supplicant.c:8021
main src/wpa_supplicant/main.c:393
Adding a for_each_sta callbacks fixes that.
Fixes: 043dedee83 ("DPP: Expose enrollee pubkey hash for identification")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
