Commit graph

12486 commits

Author SHA1 Message Date
Jouni Malinen
969e525091 tests: Skip eap_tls_pkcs8_pkcs5_v15 with BoringSSL
It does not look like BoringSSL allows pbeWithMD5AndDES-CBC to be used
to protect the local private key, so skip this test case.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-21 12:31:20 +02:00
Jouni Malinen
d7f12e4eb9 OpenSSL: Make sure local certificate auto chaining is enabled
Number of deployed use cases assume the default OpenSSL behavior of auto
chaining the local certificate is in use. BoringSSL removed this
functionality by default, so we need to restore it here to avoid
breaking existing use cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-21 12:23:15 +02:00
Jouni Malinen
4be02b71bb OpenSSL: Remove SSL_{CTX_,}_clear_options ifdefs
This simplifies the implementation since the SSL_clear_options() and
SSL_CTX_clear_options() are available in all supported versions of
OpenSSL. These were previously needed with older (now obsolete) versions
of OpenSSL, but the ifdefs were missed when removing the more explicit
version macro based backwards compatibility sections.

In practice, this reverts commit
d53d2596e4.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-21 12:06:21 +02:00
Jouni Malinen
e297cc0d23 tests: P2P service discovery restarted immediately
This test case verifies that SD Response frame does not block the
following remain-on-channel operation unnecessarily long.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-21 00:21:37 +02:00
Jouni Malinen
7655bd7388 P2P: Do not use wait_time for SD Response TX without fragmentation
The full SD Response frame is not going to be followed by another Action
frame from the peer, so remove the 200 ms wait time from the offchannel
TX command in that case. This avoids leaving a 200 ms lock on the radio
to remain on the channel unnecessarily.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-21 00:18:03 +02:00
Jouni Malinen
1f0fdaf0e4 Fix race condition between AssocResp callback and 4addr event
It is apparently possible for the NL80211_CMD_UNEXPECTED_4ADDR_FRAME
event to be delivered to hostapd before the NL80211_CMD_FRAME_TX_STATUS
event for (Re)Association Response frame. This resulted in the 4-address
WDS mode not getting enabled for a STA. This could occur in particular
when operating under heavy load and the STA is reconnecting to the same
AP in a sequence where Deauthentication frame is followed immediately by
Authentication frame and the driver event processing gets delayed due to
removal of the previous netdev taking time in the middle of this
sequence.

Fix this by recording a pending item for 4-address WDS enabling if the
NL80211_CMD_UNEXPECTED_4ADDR_FRAME event would have been dropped due to
incompleted association and then process this pending item if the TX
status for the (Re)Association Response frame is received and it shows
that the frame was acknowledged.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-20 01:30:09 +02:00
Jouni Malinen
ad02e79d12 tests: Disable HT in ap_wds_sta_wep
HT cannot be used with WEP-only network, so don't try to do that here.
This get rids of some unnecessary Beacon frame updates during
disassociation/association and can make the test case a bit more robust.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-19 22:47:07 +02:00
Purushottam Kushwaha
a6f3761f7d eap_proxy: Add support for SIM state change indication from eap_proxy
This registers a new callback to indicate change in SIM state. This
helps to do some clean up (more specifically pmksa_flush) based on the
state change of the SIM. Without this, the reconnection using the cached
PMKSA could happen though the SIM is changed.

Currently eap_proxy_sim_state corresponds to only SIM_STATE_ERROR. This
can be further extended.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-19 22:21:07 +02:00
Jouni Malinen
79a54ab9f6 eap_proxy: Fix eap_proxy_init() prototype to use const eapol_cb
The eapol_cb structure was made const and that change resulted in a
compilation warning/error if CONFIG_EAP_PROXY=<name> is enabled in the
wpa_supplicant build configuration. Fix this by updating the function
prototype to match the change.

Note: This results in a change needed to external eap_proxy_*.c
implementations to match the change.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-19 22:14:07 +02:00
Jouni Malinen
aed9e23ae5 tests: WPS ER enrolling a new device to a configured AP
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-19 17:44:51 +02:00
Jouni Malinen
6c44d97b04 tests: D-Bus P2P discovery on a specific non-social channel
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-19 13:18:05 +02:00
Amit Purwar
4e118c847b D-Bus: Add 'freq' option to P2P Find method to specify starting channel
This allows user to start P2P Find/Scan on a particular frequency and
then move to scanning social channels. This support is already present
on control socket.

Signed-off-by: Amit Purwar <amit.purwar@samsung.com>
2016-12-19 13:09:31 +02:00
Jouni Malinen
74d29544f1 tests: RSN AP and PeerKey between two STAs with sniffer check
The previous PeerKey test cases did not actually verify in any way that
the SMK and STK exchanges were completed since mac80211 does not support
setting the key from STK. Use a sniffer check to confirm that the
exchanges complete to avoid PeerKey regressions like the ones fixed in
the last couple of commits.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 20:28:10 +02:00
Jouni Malinen
e414f4f021 PeerKey: Fix STK 4-way handshake regression
Commit c93b7e1888 ('RSN: Check result of
EAPOL-Key frame send request') forgot to update two PeerKey users of
EAPOL-Key TX functions. That resulted in STK handshake failing since
message 2/4 and 4/4 TX calls were assumed to have failed when the return
value was changed from 0 to a positive value for success case. This
resulted in not updating nonce information properly and hitting
following error when processing STK 4-way handshake message 3/4:

RSN: INonce from message 1 of STK 4-Way Handshake differs from 3 of STK
4-Way Handshake - drop packet (src=<addr>)

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 19:56:05 +02:00
Jouni Malinen
28fb9bb195 PeerKey: Fix EAPOL-Key processing
Commit 6d014ffc6e ('Make struct
wpa_eapol_key easier to use with variable length MIC') forgot to update
number of EAPOL-Key processing steps for SMK and STK exchanges and broke
PeerKey. Fix this by updating the Key Data field pointers to match the
new style with variable length Key MIC field.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 19:07:29 +02:00
Mikael Kanstrup
dfc7731729 Android: Add p2p_add_cli_chan=1 option
Add p2p_add_cli_chan=1 option to p2p_supplicant.conf to allow Wi-Fi P2P
operating as P2P client on passive scan channels.

In addition, add p2p_add_cli_chan=1 option to wpa_supplicant.conf to
have consistency in P2P channel list. There is a case where P2P channel
list is updated with different channels from p2p0 and wlan0.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
2016-12-18 17:56:17 +02:00
Badrish Adiga H R
7508c2ad99 PAE: Make KaY specific details available via control interface
Add KaY details to the STATUS command output.

Signed-off-by: Badrish Adiga H R <badrish.adigahr@hpe.com>
2016-12-18 17:47:05 +02:00
Jouni Malinen
bae93012cd tests: mac80211 and unknown Action frame rejection in STA mode
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 13:01:49 +02:00
Jouni Malinen
0851a180b9 tests: Verify hostapd mgmt_tx() success
Raise an exception if MGMT_TX command to hostapd fails. Previously, such
errors were ignored silently.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 13:01:49 +02:00
Jouni Malinen
1a4b4c8466 tests: Update gas_anqp_capab_list and gas_anqp_extra_elements
The FILS ANQP-element changes made couple of the generic ANQP test steps
fail. Update this to ignore the special FILS cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 13:01:49 +02:00
Jouni Malinen
1a73f53a65 tests: FILS SK and multiple realms
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 11:41:59 +02:00
Jouni Malinen
b54f43390e FILS: Make FILS Indication element information available in BSS output
This extends wpa_supplicant BSS command to parse FILS Indication
element.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 11:41:59 +02:00
Jouni Malinen
8183aee6cc FILS: Add support for building FILS Realm Information ANQP-element
This allows full list of hashed realm names to be fetched from hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 11:41:59 +02:00
Jouni Malinen
9cad618679 FILS: Add Realm Information ANQP-element in BSS data
Add a named BSS command output entry for FILS Realm Information
ANQP-element (anqp_fils_realm_info).

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-18 11:41:51 +02:00
Jouni Malinen
f82bc83264 tests: Add fils_realm for existing FILS test cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-17 22:08:25 +02:00
Jouni Malinen
26bf70e3d2 FILS: Separate FILS realm configuration from ERP domain
The new hostapd configuration parameter fils_realm=<realm> can now be
used to configure one or more FILS realms to advertise for ERP domains
when using FILS. This replaces the use of erp_domain=<domain> parameter
for the FILS use case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-17 22:08:23 +02:00
Jouni Malinen
42b847ac1e FILS: Fix hashed realm name derivation
P802.11ai/D7.0 changed from CRC32 to SHA256 as the hash algorithm for
the FILS realm name. Update the implementation to match that change.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-17 22:07:57 +02:00
Jouni Malinen
29062f2932 Update various definitions based on IEEE Std 802.11-2016
This updates definitions for Status Codes, Reason Codes,
Information Element IDs, Action frame categories, Public Action
codes, Protected Dual of Public Action codes, Advertisement
Protocol ID, and ANQP info IDs based on IEEE Std 802.11-2016.

Signed-off-by: Jouni Malinen <j@w1.fi>
2016-12-17 12:27:49 +02:00
Jouni Malinen
670d5eba05 tests: Fix FST scanning for non-FST APs
The sta2.scan() calls were performing full scan of all channels and
reporting only the BSS entry that happened to be the first one in the
wpa_supplicant list. This is problematic since it is possible that the
target AP was not found and incorrect BSS was selected and used for
setting scan_freq which made the connection fail. Furthermore, there is
no need to use full scan for these test cases, so use a single channel
scan instead.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-15 14:17:14 +02:00
Jouni Malinen
aaa9c60bc2 Fix preauth_test build by updating add_pmkid/remove_pmkid callbacks
Commit c579312736 ('Add
PMKSA-CACHE-ADDED/REMOVED events to wpa_supplicant') added new arguments
to these callback functions, but forgot to update the implementations in
preauth_test.c.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-14 16:38:44 +02:00
Felix Fietkau
0babae87ad Fix wpa_supplicant build error with IEEE8021X_EAPOL unset
Add missing inline stubs for newly added functions.

Fixes: 3459381dd2 ("External persistent storage for PMKSA cache entries")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2016-12-14 16:37:03 +02:00
Jouni Malinen
0a425e0f04 tests: Make p2p_ext_vendor_elem_go_neg_conf more robust
Use P2P listen mode on dev[1] to speed up GO Negotiation and explicitly
wait for successfully completed GO Negotiation to make the failure cases
clearer. Previously, it was possible for the GO Negotiation to fail and
execution to go to the tshark check even when no GO Negotiation Confirm
frame was sent.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-14 16:33:19 +02:00
Jouni Malinen
bb5d761c2e tests: Do not attach wpa_supplicant monitor interface unnecessarily
There is no need to attach the monitor interface was events when issuing
only a single INTERFACES command.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-14 13:56:15 +02:00
Jouni Malinen
10f312d4a6 tests: Use longer timeout in p2p_go_neg_auth_result()
It is possible for the P2P-GROUP-STARTED event to get delayed more than
one second especially when the GO Negotiation responder becomes the P2P
Client and the system is heavily loaded. Increase the default timeout
for the expected success case from 1 to 5 seconds to avoid failing test
cases that would have succeeded if given a bit more time to complete the
exchange.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-14 12:45:37 +02:00
Jouni Malinen
4198e43309 tests: Properly skip pmksa_cache_ctrl_ext if PMKSA_GET is not supported
Mark the test as skipped instead of failed if wpa_supplicant is built
without PMKSA_GET support.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 20:13:42 +02:00
Jouni Malinen
3301e925b7 tests: Make dbus_p2p_go_neg_init more robust
It was apparently possible to get a propertiesChanged event from an
earlier test case with an empty Groups property. That ended up this case
exiting immediately before running through the steps and consequently,
failing due to missed operations. Make this less likely to happen by
accepting the Groups property emptying event only after a group has been
added for a peer first.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 20:07:52 +02:00
Jouni Malinen
0aca60b84c tests: Fix scan_reqs_with_non_scan_radio_work error reporting
Raise an exception instead of printing out to stdout if scan fails to
complete.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 20:07:52 +02:00
Jouni Malinen
58bd7dc341 tests: Scan and both Beacon and Probe Response frame IEs
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 20:07:52 +02:00
Jouni Malinen
19810d29bc Make Beacon IEs available in wpa_supplicant BSS command
This makes both the Probe Response and Beacon frame IEs available to
upper layers if scan results include both IE sets. When the BSS command
mask includes WPA_BSS_MASK_BEACON_IE, a new beacon_ie=<hexdump> entry
will be included in output if the BSS entry has two separate sets of IEs
(ie=<hexdump> showing the Probe Response frame contents and
beacon_ie=<hexdump> the Beacon rame contents).

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 20:07:52 +02:00
Jouni Malinen
a00a3458ed tests: Make ap_track_sta_no_probe_resp more robust
Check whether the unexpected BSS entry is based on having received a
Beacon frame instead of Probe Response frame. While this test case is
using a huge beacon_int value, it is still possible for mac80211_hwsim
timing to work in a way that a Beacon frame is sent. That made this test
case fail in some rare cases. Fix this by ignoring the BSS entry if it
is based on Beacon frame instead of Probe Response frame.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 20:07:52 +02:00
Jouni Malinen
e3b38d6e04 tests: Mesh network on 5 GHz band and 20/40 coex change
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 20:07:52 +02:00
Jouni Malinen
274e76f22f mesh: Fix channel configuration in pri/sec switch case
If 20/40 MHz co-ex scan resulted in switching primary and secondary
channels, mesh setup failed to update the frequency parameters for
hostapd side configuration and that could result in invalid secondary
channel configuration preventing creating of the mesh network. This
could happen, e.g., when trying to set up mesh on 5 GHz channel 36 and
co-ex scan finding a BSS on channel 40. Switching the pri/sec channels
resulted in hostapd code trying to check whether channel 32 is
available. Fix this by swapping the channels for hostapd configuration
when needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 15:25:52 +02:00
Jouni Malinen
cebda0e3e5 Make debug print clearer for AP/mesh mode secondary channel issues
If the secondary channel was not found at all, no debug print was shown
to indicate that the channel was rejected due to that problem. Print a
clearer message indicating which channel was behind the reason to reject
channel configuration as unsuitable for AP mode.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 15:09:15 +02:00
Jouni Malinen
8344ba1229 tests: Remove pmk_r1_push parameter from ap_ft_local_key_gen
Local key generation for FT-PSK does not use the AP-to-AP protocol and
as such, setting pmk_r1_push=1 is a bit confusing here since it gets
ignored in practice. Remove it to keep the test case easier to
understand.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 13:57:39 +02:00
Jouni Malinen
3615bde6fe tests: Clear scan cache at the end of ap_wps_per_station_psk_failure
It was possible for ap_wps_per_station_psk_failure to leave behind scan
entries with active PBC mode if cfg80211 BSS table. This could result in
a following test case failing due PBC overlap. Fix this by clearing the
cfg80211 BSS table explicitly.

This was found with the following test case sequence:
ap_wps_per_station_psk_failure autogo_pbc

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-13 13:03:52 +02:00
Jouni Malinen
fb748ae858 tests: PMKSA cache control interface for external management
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 23:56:57 +02:00
Jouni Malinen
3459381dd2 External persistent storage for PMKSA cache entries
This adds new wpa_supplicant control interface commands PMKSA_GET and
PMKSA_ADD that can be used to store PMKSA cache entries in an external
persistent storage when terminating a wpa_supplicant process and then
restore those entries when starting a new process. The previously added
PMKSA-CACHE-ADDED/REMOVED events can be used to help in synchronizing
the external storage with the memory-only volatile storage within
wpa_supplicant.

"PMKSA_GET <network_id>" fetches all stored PMKSA cache entries bound to
a specific network profile. The network_id of the current profile is
available with the STATUS command (id=<network_id). In addition, the
network_id is included in the PMKSA-CACHE-ADDED/REMOVED events. The
output of the PMKSA_GET command uses the following format:

<BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration in seconds>
<akmp> <opportunistic>

For example:

02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30240 43200 1 0
02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30240 43200 1 0

The PMKSA_GET command uses the following format:

<network_id> <BSSID> <PMKID> <PMK> <reauth_time in seconds> <expiration
in seconds> <akmp> <opportunistic>

(i.e., "PMKSA_ADD <network_id> " prefix followed by a line of PMKSA_GET
output data; however, the reauth_time and expiration values need to be
updated by decrementing them by number of seconds between the PMKSA_GET
and PMKSA_ADD commands)

For example:

PMKSA_ADD 0 02:00:00:00:03:00 113b8b5dc8eda16594e8274df4caa3d4 355e98681d09e0b69d3a342f96998aa765d10c4459ac592459b5efc6b563eff6 30140 43100 1 0
PMKSA_ADD 0 02:00:00:00:04:00 bbdac8607aaaac28e16aacc9152ffe23 e3dd6adc390e685985e5f40e6fe72df846a0acadc59ba15c208d9cb41732a663 30140 43100 1 0

This functionality is disabled be default and can be enabled with
CONFIG_PMKSA_CACHE_EXTERNAL=y build configuration option. It should be
noted that this allows any process that has access to the wpa_supplicant
control interface to use PMKSA_ADD command to fetch keying material
(PMK), so this is for environments in which the control interface access
is restricted.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 23:47:04 +02:00
Jouni Malinen
f0df5afa08 tests: PMKSA cache control interface events
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 21:02:49 +02:00
Jouni Malinen
c579312736 Add PMKSA-CACHE-ADDED/REMOVED events to wpa_supplicant
These allow external program to monitor PMKSA cache updates in
preparation to enable external persistent storage of PMKSA cache.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2016-12-12 21:00:43 +02:00
Daisuke Niwa
655dc4a432 Send "TERMINATING" event from hostapd
hostapd didn't send "TERMINATING" event when stopped by
SIGTERM. Android handles this event to stop monitor thread.

This commit adds "TERMINATING" event same as with wpa_supplicant.

Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
2016-12-12 20:32:28 +02:00