Commit graph

19550 commits

Author SHA1 Message Date
Jouni Malinen
e619dcce31 tests: Allow more time for chirping in dpp_chirp_ap_5g
The full scan at the beginning of the chirping step can take over 15
seconds when 6 GHz and S1G channels are included and the timeout here is
not enough to handle that.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-26 12:18:32 +02:00
Jouni Malinen
30d6231e02 tests: Flush scan cache for rrm_beacon_req_table_detail
Explicitly flush the scan cache in wpa_supplicant and cfg80211 to avoid
test failures here. An additional BSS table entry from a scan based on a
previous test case could result in causing this test case to report
failure since each beacon response could include multiple entries and
the check for the details would fail due to the unexpected data.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-26 12:10:41 +02:00
Jouni Malinen
e41a51285d tests: Make dfs_etsi more robust
Explicitly wait for the STA to complete connection or channel switch
processing before running the second connectivity check.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-26 12:00:24 +02:00
Jouni Malinen
f20ca22dce DFS: Print the random channel list entry selection in debug print
This makes it a bit easier to understand what happens with random
channel selection after radar detection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-26 11:59:48 +02:00
Jouni Malinen
d88fe8fe5d DFS: Fix a typo in a debug message
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-26 11:42:54 +02:00
Jouni Malinen
2e7b51719b tests: Add more time for concurrent GO group negotiation cases
It is possible for the parallel connection attempt with an AP and P2P
device discovery with P2P search on social channels to take close to the
15 second timeout and these test cases could fail because of that
instead of a real issue. Increase the timeout to make this less likely
to cause test failures. In addition, add a debug entry to the log on the
r_dev timeout to avoid confusing print from the i_dev thread reporting a
timeout even when the first timeout was on the rdev_

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-26 11:18:24 +02:00
Veerendranath Jakkam
e3fb9e6f2d Send actual BTM capability when the driver takes care of BSS selection
wpa_supplicant disables BTM capability in Extended Capabilities element
when wpa_supplicant selects a misbehaving MBO/OCE AP that uses RSN
without PMF, but this is disabling BTM support for whole ESS connection
lifetime though the BTM support can be enabled when the driver takes
care of BSS selection and selects/roams to a BSS which is MBO and OCE
specification compliant. Thus, always set the actual BTM capability in
Extended Capabilities element when the driver takes care of BSS
selection.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-01-25 20:11:07 +02:00
Veerendranath Jakkam
2c0cadd6ee wlantest: Adjust kdk_len according to RSNX capability for FT
Commit 0660f31ba0 ("wlantest: wlantest: Adjust kdk_len according to
RSNX capability") added support for PTK derivation and the additional
KDK component when Secure LTF support is used in the non-FT case.

Cover the same for the FT case to derive the correct PTK and consider
the additional KDK component when Secure LTF support is used.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-01-25 20:08:08 +02:00
Jouni Malinen
fee037d70d tests: Enable PSK AKMs in EHT+MLO in WPA3 transition mode test
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-25 19:50:07 +02:00
Jouni Malinen
8356a38f48 tests: Do not enable VHT for EHT test cases on 2.4 GHz
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-25 19:41:33 +02:00
Johannes Berg
bf26920792 tests: proxyarp_errors: Sync carrier before sending frame
Similar to other cases before, this may end up trying to
send the frame before the carrier state is ready. Ensure
it's ready before sending the frame.

To do that, rename the sync_carrier() function and make
the ifname argument optional.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2024-01-25 12:01:19 +02:00
Johannes Berg
b7ed69206d tests: FST: Leave time to process session request
Due to scheduling in UML time-travel, the test may continue
running and find that the failure didn't trigger when really
the frame just didn't make it through to the other side. Add
some time for the necessary processing.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2024-01-25 12:00:59 +02:00
Chenming Huang
6c334d9f04 nl80211: Set allowed frequency list per link for AP MLD
QCA_WLAN_VENDOR_ATTR_CONFIG_AP_ALLOWED_FREQ_LIST needs be to set per
link if operating as an AP MLD.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-01-24 18:32:50 +02:00
mukul sharma
42cd2376fd Enhance QCA vendor interface with new SAR version numbers
Add more SAR version numbers in the qca_wlan_vendor_sar_version.

Signed-off-by: Mukul Sharma <quic_mukul@quicinc.com>
2024-01-24 12:47:54 +02:00
Jouni Malinen
5ae8838a06 Make test code easier for static analyzers
The previous os_strncmp() calls have already verified that there is a
space in the string, so this os_strchr() call cannot really return NULL.
Anyway, make this easier for static analyzers to understand.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 22:16:49 +02:00
Jouni Malinen
c03377cf27 SAE: Fix resource leak on reading a separate password file
The file needs to be closed on all paths before exiting from the
function.

Fixes: e748e50c62 ("SAE passwords from a separate file")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 22:16:46 +02:00
Jouni Malinen
348c047afd ACS: More consistent checking of the best channel pointer
It looks like best might be NULL in some cases, so check for this
explicitly before trying to dereference it for a debug print.

Fixes: 733de85680 ("ACS: Fix not selecting the best channel in the segment")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:58:06 +02:00
Jouni Malinen
5d54bf6fb6 Fix error path on Key Data field decryption
key_data_buf is already freed on the common exit path, so do not try to
free it here on error.

Fixes: 4abc37e67b ("Support Key Data field decryption for EAPOL-Key msg 2/4 and 4/4")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:54:34 +02:00
Jouni Malinen
a4d599a53d FT: Fix architecture for RxKH loading from a file
src/ap/ap_config.c is not really supposed to call directly into a
function in hostapd/config_file.c. Furthermore, the wrapper through
ap_config.c did not really have any real value since it just called a
function that is within hostapd/*.c and that wrapper was called from
hostapd/*.c.

Instead of the wrapper, just call the function directly within the
hostapd directory.

Fixes: 392114a179 ("FT: Add dynamic reload of RxKH definitions from file")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:30:10 +02:00
Jouni Malinen
0b95d1346f OpenSSL: Fix a memory leak on an error path
peerkey from EVP_PKEY_new() needs to be freed on all error paths.

Fixes: b062507670 ("OpenSSL: Implement crypto_ecdh routines without EC_KEY for OpenSSL 3.0")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:16:47 +02:00
Jouni Malinen
f873abd0d9 tests: Allow valgrind suppressions to be used
This makes valgrind reports somewhat cleaner when external libraries
have memory leaks that are not straighforward to fix. In addition,
increase the number of functions to include backtraces since the default
was not large enough to cover some cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:16:47 +02:00
Jouni Malinen
456bfec470 Avoid uninitialized seq number in debug print for testing functionality
If the driver fetch for the current sequency number fails, do not try to
print the value in a debug print without having cleared it.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:16:47 +02:00
Jouni Malinen
c179002789 tests: Fix a memory leak in a module test
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:16:47 +02:00
Jouni Malinen
7184e63ced dbus: Avoid memory leak on error when signaling PropertiesChanged
put_changed_properties() might fail, e.g., due to memory allocation
failure or a failure in a property getter function. Such an error case
would have leaked the message iteration container since the call to
dbus_message_iter_close_container() would have been skipped.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:16:47 +02:00
Jouni Malinen
4037c0ac1e nl80211: Fix wiphy event handling when the driver is deinitialized
Radar detection event could have resulted in the driver interface
instance getting deinitialized and the related memory freed in the
middle of the loop. This was not an issue when the event was passed only
into a single interface, but it became an issue when the loop tried to
send it to all interfaces. If the driver were removed, that loop check
would have used freed memory. Avoid this by explicitly checking that the
driver interface instance is still valid.

Fixes: f136837202 ("nl80211: Pass wiphy events to all affected interfaces")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:16:43 +02:00
Jouni Malinen
1c90c8d24e DPP: Avoid a potential use-after-free on an error path in AP
The TX status handler for DPP Authentication Confirm message might have
resulted in use-after-free if the start of a GAS query were to fail,
e.g., due to being somehow unable to transmit the initial request. Avoid
this by explicitly confirming that the authentication session was not
removed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 13:59:03 +02:00
Jouni Malinen
32940c7a44 DPP: Fix use-after-free in connection status reporting when using TCP
The current connection (struct dpp_connection) might get removed during
the dpp_tcp_send_msg() call, so the code setting the
on_tcp_tx_complete_remove flag needs to check whether that happened to
avoid a potential use-after-free.

Fixes: 33cb47cf01 ("DPP: Fix connection result reporting when using TCP")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 13:11:17 +02:00
Jouni Malinen
9456adeeba DPP3: Fix potential use-after-free on push button bootstrap info
When removing the bootstrap info for the PB context, all the possible
pointers to that information needs to be cleared to avoid accesses to
freed memory.

Fixes: 37bccfcab8 ("DPP3: Push button bootstrap mechanism")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 12:51:53 +02:00
Jouni Malinen
e3d6fce848 EAP-SIM/AKA peer: Fix use-after-free for privacy identity
When the privacy protected itentity is used for EAP-SIM/AKA, the buffer
containing the identity was freed just before its use. Fix that by
reordering the operations.

Fixes: 881cb4198b ("EAP-SIM/AKA peer: Simplify identity selection for MK derivation")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 11:47:00 +02:00
Jouni Malinen
fd71cae6c9 nl80211: Fix memory leak on libnl nl_cb
nl_socket_get_cb() increases cb_refcnf for the cb that is bound to a
socket and as such, nl_cb_put() needs to be used with the returned cb
after having cloned it to avoid leaking memory due to cb_refcnt never
getting back to 0.

Fixes: da0d51fee7 ("nl80211: Use socket cb instead of global->nl_cb in send_and_recv()")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 11:35:51 +02:00
Jouni Malinen
2814dbd6db OpenSSL: Fix a memory leak in crypto_ec_key_parse_priv()
The OpenSSL 3.x version of crypto_ec_key_parse_priv using
OSSL_DECODER_CTX missed the call to free the context. Fix it to avoid a
memory leak.

Fixes: 4f4479ef9e ("OpenSSL: crypto_ec_key_parse_{priv,pub}() without EC_KEY API")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-22 00:37:31 +02:00
Jouni Malinen
aa1aa289cd AP MLD: Optimize struct mld_link_info size
Use smaller variables when possible and reorder the variables to avoid
unnecessary padding. This drops struct mld_link_info size from 64 to 48
bytes and removes 240 bytes from struct sta_info.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 22:24:08 +02:00
Jouni Malinen
93eab9f0fa Mark hostapd_gen_probe_resp() static
This function has been used only within beacon.c and it got accidentally
converted to a global function.

Fixes: 6b5e00a80e ("AP: Use a struct for Probe Response generation in/out params")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 22:23:47 +02:00
Jouni Malinen
512b925240 AP MLD: Reduce struct mld_link_info size
Replace the fixed length maximum buffer size for STA profile with
dynamically allocated buffers for active links. This reduces struct
mld_link_info size by almost 16 kB and drops the per-STA information in
struct sta_info to a more reasonable size to avoid the almost 10x
increase from MLO support.

In addition, free the resp_sta_profile buffers as soon as the ML element
has bee generated for (Re)Association Response frame since those buffers
are not needed after that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 21:59:11 +02:00
Jouni Malinen
b91572b308 AP MLD: Fix RADIUS deinit
The singleton RADIUS client design did not address the deinit path
properly. Since hapd->radius could be shared with another links, the
pointer on all those other links needs to be cleared before freeing the
RADIUS client context. Without this, deinit path could have ended trying
to use freed memory when clearing STA entries from other links and
trying to flush any pending RADIUS client messages.

Fixes: a213fee11d ("AP: MLO: Make IEEE 802.1X SM, authserv, and RADIUS client singletons")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 21:21:11 +02:00
Jouni Malinen
fa79e46c78 AP MLD: Use a helper function to set whether a STA is a non-AP MLD
This makes it easier to change the struct sta_info design for MLD by
reducing the number of direct references.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 19:08:08 +02:00
Jouni Malinen
6bda0aca8b AP MLD: Use a helper function to check if a STA is a non-AP MLD
This makes it easier to change the struct sta_info design for MLD by
reducing the number of direct references.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 19:08:08 +02:00
Jouni Malinen
ee9375fb3b tests: Association comeback mechanism in wpa_supplicant
Allow the Timeout Interval Type field in the Timeout Interval element to
be overridden with a different value for testing purposes to be able to
bypass the association comeback processing in mac80211. This allows the
wpa_supplicant internal functionality to be tested.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 12:17:23 +02:00
Harry Bock
33179cd291 SME: Handle PMF association comeback when not handled in driver
In associations using PMF (IEEE 802.11w/MFP), the infrastructure
implements SA teardown protection by rejecting an (Re)Association
Request frame from an already-associated client.  The AP responds with
error 30 (Association request rejected temporarily) to instruct the
(potentially spoofing) client to back off, while it issues an SA Query
procedure to the already-associated client. If the client can respond to
it within the back-off period, it considers the new association to be a
spoof attempt.

However, there are cases where a legitimate client might need to
handle this error response - consider if the STA has deauthenticated,
but the AP cannot hear it (out of range).  If the MFP STA has deleted
its keys, it cannot respond to the SA Query procedure.

This association comeback process has commonly been implemented in the
driver, e.g., within mac80211 in case of the Linux drivers that use SME
in userspace. However, there are drivers that do not implement this
functionality. Extended wpa_supplicant to cover such cases as well.

The current implementation interprets this association error as a true
error, and will either add the BSS to the list of ignored BSSIDs, or
continue to try other BSSes. This can cause wpa_supplicant to back off
trying to reconnect for progressively longer intervals, depending on the
infrastructure's configured comeback timeout.

Allow wpa_supplicant to interpret the error, searching for the Timeout
Interval element in the (Re)Association Response frame and starting a
timer in the SME layer to re-associate after the timeout. This can be a
long delay (1-4 seconds in my experience), but it is likely much shorter
than bouncing between nearby BSSes.

This does not change behavior for drivers that implement association
comeback timer internally since they do not report the temporary
association rejection status code to user space.

Signed-off-by: Harry Bock <hbock@zebra.com>
2024-01-21 12:00:15 +02:00
Jouni Malinen
a86709b52e tests: Write more info and statistics in parallel-vm.log
This is helpful in tracking how the total test execution time changes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-20 20:53:21 +02:00
Damien Dejean
0ef4b1e1db D-Bus: Add a signal for HS2.0 terms and conditions
Add HS20TermsAndConditions signal to D-Bus API to allow clients to be
notified when the network requires the acceptance of terms and
conditions. The URL of the T&C page is provided as a signal parameter.

Signed-off-by: Damien Dejean <damiendejean@chromium.org>
2024-01-20 20:16:36 +02:00
Jouni Malinen
6a8d0e9196 wlantest: Do not decrease debug level for test vectors
The CCMP PV1 test vector dropped debugging verbosity at the end. This
was not really supposed to be done since these test vectors are expected
to print at EXCESSIVE verbosity.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-20 19:45:20 +02:00
Henry Ptasinski
4e3f6b847a wlantest: Add test vectors for S1G BIP
- CMAC and GMAC modes
- 128-bit and 256-bit modes
- normal BIP and BIP using BCE
- test vectors with minimum and optional additional header elements in
  S1G beacon frames
- S1G Beacon Compatibility element in some cases, no other beacon body
   components

Signed-off-by: Henry Ptasinski <henry@e78com.com>
Signed-off-by: Andrew Pope <andrew.pope@morsemicro.com>
Signed-off-by: David Goodall <dave@morsemicro.com>
2024-01-20 19:39:27 +02:00
Henry Ptasinski
3fad445496 wlantest: Fix the cipher name in a BIP-GMAC-256 test vector
Signed-off-by: Henry Ptasinski <henry@e78com.com>
Signed-off-by: Andrew Pope <andrew.pope@morsemicro.com>
Signed-off-by: David Goodall <dave@morsemicro.com>
2024-01-20 19:34:54 +02:00
Jouni Malinen
f580691897 tests: FT with dynamic RxKHs configuration
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-20 10:46:23 +02:00
Dariusz Kopka
542ccf00b5 FT: Add control interface command to show configured RxKHs
The new GET_RXKHS control interface command can be used to list the
currently configured RxKHs.

Signed-off-by: Dariusz Kopka <dariusz@plume.com>
2024-01-20 10:23:43 +02:00
Dariusz Kopka
392114a179 FT: Add dynamic reload of RxKH definitions from file
hostapd reads the list of Rx Key Holders from hostapd.conf file.
However, for systems where topology changes dynamically, the update
of RxKHs list is required without reloading the whole configuration.

Introduce a new source of RxKH definition with original syntax:
- rxkh_file - Path to a file containing a list of RxKHs.

In addition, add a control interface command RELOAD_RXKHS to
reload RxKHs definition from the file specified in `rxkh_file`.

This allows hostapd to properly distribute Rx keys even after topology
change (assuming rxkh_file is updated and reload_rxkhs command issued).

Syntax of rxkh_file is the same as extraction of r0kh and r1kh options
from original hostapd.conf file.

```
r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
```

Signed-off-by: Dariusz Kopka <dariusz@plume.com>
2024-01-20 10:23:04 +02:00
Dariusz Kopka
e94a7d7940 FT: Move RxKH configuration clearing into a helper function
This can be used as a shared function for reloading RxKHs at runtime.

Signed-off-by: Dariusz Kopka <dariusz@plume.com>
2024-01-20 10:19:25 +02:00
Jouke Witteveen
c69ce778f6 Fix building against OpenSSL 3
Smartcard support uses the ENGINE API of OpenSSL, which has been
deprecated as of OpenSSL 3. Rather than migrating the code to the new API
or pretending that we do not support OpenSSL 3, accept that we use
deprecated functionality.

Signed-off-by: Jouke Witteveen <j.witteveen@gmail.com>
2024-01-20 09:39:49 +02:00
Benjamin Berg
5589d62c57 nl80211: Avoid NL80211_WPA_VERSION_3 on older kernel versions
NL80211_WPA_VERSION_3 was only added in kernel 5.2 so it should not be
set for older kernel versions.  There is no direct way to check if the
value is supported. However, we can use the new infrastructure to check
whether the kernel has the NL80211_ATTR_SAE_PASSWORD attribute. It is
related and was added at the same time.

Fixes: 6cc78b3945 ("nl80211: Set NL80211_WPA_VERSION_2 vs. _3 based on AKM")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-01-20 09:39:04 +02:00