Commit graph

5598 commits

Author SHA1 Message Date
Jouni Malinen
b162675fd9 tests: Add test cases for per-STA PSK in P2P group
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 21:35:10 +03:00
Jouni Malinen
5bf9a6c859 P2P: Add event messages for possible PSK failures on P2P groups
It is possible for the GO of a persistent group to change the PSK or
remove a client when per-client PSKs are used and this can happen
without the SSID changing (i.e., the group is still valid, but just not
for a specific client). If the client side of such persistent group ends
up trying to use an invalidated persistent group information, the
connection will fail in 4-way handshake. A new WPS provisioning step is
needed to recover from this.

Detect this type of case based on two 4-way handshake failures when
acting as a P2P client in a persistent group. A new
"P2P-PERSISTENT-PSK-FAIL id=<persistent group id>" event is used to
indicate when this happens. This makes it easier for upper layers to
remove the persistent group information with "REMOVE_NETWORK <persistent
group id>" if desired (e.g., based on user confirmation).

In addition to indicating the error cases for persistent groups, all
this type of PSK failures end up in the client removing the group with
the new reason=PSK_FAILURE information in the P2P-GROUP-REMOVED event.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 21:35:10 +03:00
Jouni Malinen
eac8dab87c P2P: Document per-client keys and p2p_remove_client
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 21:35:10 +03:00
Jouni Malinen
43c693c21a P2P: Do not store duplicate PSK entries for the same device
If a client joins a P2P group multiple times, replace the previous
per-client PSK entry instead of adding a new entry each time.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 21:35:10 +03:00
Jouni Malinen
f2c566027e P2P: Add a command for removing a client from all groups
The new control interface command P2P_REMOVE_CLIENT <P2P Device
Address|iface=Address> can now be used to remove the specified client
from all groups (ongoing and persistent) in which the local device is a
GO. This will remove any per-client PSK entries and deauthenticate the
device.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 21:35:10 +03:00
Jouni Malinen
01a57fe420 P2P: Maintain list of per-client PSKs for persistent groups
Record all generated per-client PSKs in the persistent group network
block and configure these for the GO Authenticator whenever re-starting
the persistent group. This completes per-client PSK support for
persistent groups.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 21:35:10 +03:00
Jouni Malinen
759fd76b7f P2P: Select PSK based on Device Address instead of Interface Address
When using per-device PSKs, select the PSK based on the P2P Device
Address of the connecting client if that client is a P2P Device. This
allows the P2P Interface Address to be changed between P2P group
connections which may happen especially when using persistent groups.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 11:30:26 +03:00
Jouni Malinen
94ddef3e72 P2P: Make peer's P2P Device Address available to authenticator
This can be used to implement per-device PSK selection based on the
peer's P2P Device Address instead of P2P Interface Address.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 11:05:19 +03:00
Jouni Malinen
52177fbb70 P2P: Store P2P Device Address in per-device PSK records
This makes the P2P Device Address of the Enrollee available with the PSK
records to allow P2P Device Address instead of P2P Interface Address to
be used for finding the correct PSK.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 10:47:34 +03:00
Jouni Malinen
05766ed8de P2P: Allow per-device PSK to be assigned
"wpa_cli p2p_set per_sta_psk <0/1>" can now be used to disable/enable
use of per-device PSKs in P2P groups. This is disabled by default.
When enabled, a default passphrase is still generated by the GO for
legacy stations, but all P2P and non-P2P devices using WPS will get
a unique PSK.

This gives more protection for the P2P group by preventing clients from
being able to derive the unicast keys used by other clients. This is
also a step towards allowing specific clients to be removed from a group
reliably without having to tear down the full group to do so.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-09-01 10:14:29 +03:00
Jouni Malinen
698e921b9e wpa_cli: Add tab completion for p2p_set field values
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-31 20:58:35 +03:00
Syed Asifful Dayyan Rafiuddeen
0b5fb86a24 P2P: Stop listen state when listen-only duration is over
Even after listen duration is over, P2P module remained in
P2P_LISTEN_ONLY state, which is blocking station mode scans. Fix this by
stopping P2P listen explicitly to update p2p_state to IDLE when listen
duration expires.

Signed-hostap: Syed Asifful Dayyan <syedd@broadcom.com>
2013-08-31 18:09:15 +03:00
Jouni Malinen
dd850f4a11 tests: Make test_autogo validate group removal event on client
Use test_autogo to verify that P2P client is able to notice explicit
group session termination message from the GO. This would have caught
the regression in processing P2P deauthentication notifications.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-31 17:59:16 +03:00
Jouni Malinen
02a3e5c0d1 wpa_cli: Allow first DISCONNECTED event to be reported
wpa_cli filters out extra DISCONNECTED events from action scripts. This
ended up filtering out the first real DISCONNECT event in case wpa_cli
was started when wpa_supplicant was in connected state. Change wpa_cli
to allow the first disconnection event to be reported to the action
script in such case.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-31 17:27:20 +03:00
Jouni Malinen
cdf8bfa434 Disallow WEP configuration in WPA network
Some drivers fail to work if WEP keys are configured in a WPA network.
To avoid potentially confusing error cases, reject hostapd configuration
that enables WPA and includes parameters that would imply that WEP keys
would be set.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-31 17:18:45 +03:00
Jouni Malinen
731ef436d1 D-Bus: Fix per-iface object unregistration on not existing objects
If the private data for an object is not found, do not try to unregister
that object to avoid D-Bus errors.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-31 16:46:24 +03:00
Jouni Malinen
447969e034 D-Bus: Do not send network notification for all P2P groups
Previously, network added event was skipping during group formation.
However, this did not necessarily catch all cases of temporary P2P
network blocks. Check ssid->p2p_group to make this behavior more
consistent by avoiding all P2P groups.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-31 16:44:42 +03:00
Masashi Honma
eb32460029 Fix switching from EAP-SIM to EAP-AKA/AKA'
Switching EAP method from EAP-SIM to EAP-AKA fails.
wpa_cli commands are below.

------------------
sudo wpa_cli add_network
sudo wpa_cli set_network 0 ssid '"eap-sim"'
sudo wpa_cli set_network 0 key_mgmt WPA-EAP
sudo wpa_cli set_network 0 eap SIM
sudo wpa_cli set_network 0 pin '"1234"'
sudo wpa_cli set_network 0 pcsc '""'
sudo wpa_cli select_network 0

sudo wpa_cli disable_network 0
sudo wpa_cli disconnect
sudo wpa_cli remove_network 0

sudo wpa_cli add_network
sudo wpa_cli set_network 0 ssid '"eap-sim"'
sudo wpa_cli set_network 0 key_mgmt WPA-EAP
sudo wpa_cli set_network 0 eap AKA
sudo wpa_cli set_network 0 pin '"1234"'
sudo wpa_cli set_network 0 pcsc '""'
sudo wpa_cli select_network 0
------------------

Then EAP-AKA connection resulted in fail.
wpa_supplicant log is below.

------------------
wlan0: CTRL-EVENT-EAP-METHOD EAP vendor 0 method 23 (AKA) selected
SCARD: Non-USIM card - cannot do UMTS auth
EAP-AKA: UMTS authentication failed (AUTN)
wlan0: CTRL-EVENT-EAP-FAILURE EAP authentication failed
------------------

This occurs because on the first EAP-SIM authentication, the SIM/USIM
card in the device was recognized as SIM card even if it is USIM card.

So this patch changes it to recognize as USIM card even if EAP-SIM
authentication was required.

I have tested these switching cases.
EAP-SIM -> EAP-AKA
EAP-SIM -> EAP-AKA'
EAP-AKA -> EAP-SIM
EAP-AKA -> EAP-AKA'
EAP-AKA' -> EAP-SIM
EAP-AKA' -> EAP-AKA

Signed-hostap: Masashi Honma <masashi.honma@gmail.com>
2013-08-31 16:11:48 +03:00
Sreenath Sharma
f2b3f4de49 P2P: Allow P2P functionality to be disabled per interface
By default, P2P is initialized for all driver interfaces and this makes
P2P getting initialized for non-P2P station interface if the supplicant
is started first on this interface. If an interface is dedicated for
non-P2P station mode, it is now possible to disable P2P initialization
by adding 'p2p_disabled=1' in the configuration file of non-P2P station
interface, irrespective of the order in which supplicant is started.

Signed-hostap: Sreenath Sharma <sreenats@broadcom.com>
2013-08-31 11:59:05 +03:00
Jouni Malinen
846be88975 tests: Use longer timeout in test_ap_wps_er_add_enrollee
This is another one of the test cases that can time out frequently
under valgrind during WPS exchange. Increase the timeout to make
false error reports less likely to occur.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-31 11:54:23 +03:00
Michal Kazior
50f4f2a066 hostapd: Add Automatic Channel Selection (ACS) support
This adds ACS support to hostapd. Currently only survey-based
algorithm is available.

To use ACS you need to enable CONFIG_ACS=y in .config and use
channel=0 (or channel=acs_survey) in hostapd.conf.

For more details see wiki page [1] or comments in src/ap/acs.c.

[1]: http://wireless.kernel.org/en/users/Documentation/acs

Signed-hostap: Michal Kazior <michal.kazior@tieto.com>
2013-08-31 11:51:06 +03:00
Sreenath Sharma
43ee470494 P2P: Immediate group removal in GC in case of deauthentication
Right now in case of deauthentication from GO, immediate group removal will
happen in GC only if the deauthentication packet has a valid IE. However,
the IE in deauthentication packet is mandated only for managed P2P group.
So in normal P2P group the group removal is delayed and will happen later
only in group idle timeout.

This fixes a regression from commit
d7df0fa727 that changed the previous check
for data->deauth_info != NULL to data->deauth_info->ie != NULL.

Signed-hostap: Sreenath Sharma <sreenats@broadcom.com>
2013-08-31 11:11:41 +03:00
Andrejs Cainikovs
fcf20528a0 Fix MNC length for Swisscom SIM cards
Swisscom SIM cards do not include MNC length within EF_AD, and end up
using incorrect MNC length based on the 3-digit default. Hardcode MNC
length of 2 for Switzerland, in the same manner as it was done for
Finland.

Signed-hostap: Andrejs Cainikovs <andrejs.cainikovs@sonymobile.com>
2013-08-31 10:58:23 +03:00
Jouni Malinen
7e3f110b08 tests: Increase WPS timeout to 30 seconds
Number of crypto operations seem to take very long time in the valgrind
tests (about five seconds for public key generation for M1 and M2 on a
virtual server) and this is enough to push the test runs to hit the
timeout frequently even when there is no real error. Make this less
frequent by increasing WPS test case timeout from 15 to 30 seconds to
avoid issues based on the test scripts.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-31 10:45:03 +03:00
Jouni Malinen
b1ce1ec09b tests: Increase P2P group formation timeout to 20 seconds
Number of crypto operations seem to take very long time in the valgrind
tests (about five seconds for passphrase to PSK mapping and for public
key generation for M1 and M2 on a virtual server) and this is enough to
push the test runs to hit the timeout frequently even when there is no
real error. Make this less frequent by increasing group formation
timeout from 15 to 20 seconds to avoid issues based on the test scripts
(15 + config time seconds timeout in the protocol may still kick in,
though).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-31 10:33:44 +03:00
Jouni Malinen
add7add09d IBSS RSN: Add a timeout for Authentication frame exchange
It is possible for the peer device not to support Authentication frame
exchange even though this would be required functionality in the
standard. Furthermore, either Authentication frame may be lost. To
recover from cases where Authentication frame sequence 2 is not
received, start EAPOL Authenticator from one second timeout.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-27 16:26:33 +03:00
Jouni Malinen
18ece3133e tests: Wait longer for program deinit
Wait a bit longer for wpa_supplicant/hostapd to exit and clear control
interface files separately if either any of the cleanup steps fail to do
so.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-27 16:02:15 +03:00
Jouni Malinen
15f7b02c95 tests: Wait for hostapd/wpa_supplicant to reply at start (concurrent)
Instead of waiting for a fixed duration, poll hostapd/wpa_supplicant
through the control interface until they are ready to reply in order to
avoid starting test case execution too early. This is like commit
b76579e0c0 but for the concurrent P2P test
cases that were forgotten from that commit.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-27 16:01:04 +03:00
Jouni Malinen
c1c0b35fea P2P: Postpone concurrent scans when waiting for first client as GO
Previously, concurrent station mode scans were postponed during an
ongoing P2P group formation up to the point of completed WPS
provisioning step. This would allow a scan to be started before the P2P
client has completed association for the data connection if a scan
request were timed to hit the window between the provisioning step and
the following association. Avoid this by extending P2P-in-progress state
to continue until the first data connection has been completed as part
of group formation. Use a ten second timeout for this to avoid leaving
scans disabled indefinitely if the client fails to connect completely.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-08-27 12:23:10 +03:00
Jouni Malinen
dcfb4d652a tests: Detect BSSID mismatch in test_ibss_rsn
It looks like mac80211 does not always manage to join the same IBSS and
this can result in test_ibss_rsn failures. Detect this case and try to
get the IBSSes to merge by running a scan prior to continuing with the
test case.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-27 03:11:02 +03:00
Jouni Malinen
6fb7b58fe4 IBSS RSN: Work around Data RX vs. Authentication RX race condition
It is possible for the driver to report EAPOL frame RX before
Authentication frame RX even if the frames arrived in the opposite
order. This can result in issues in cases where both IBSS peers initiate
Authentication frame exchange at about the same time and one of the
EAPOL sessions is started before processing Authentication frame seq=1
RX. Work around this by not re-initializing EAPOL state on
Authentication (SEQ=1) RX if own Authentication frame was transmitted
within last 500 ms.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-27 02:54:35 +03:00
Jouni Malinen
3d5b356ac0 tests: Wait for all 4-way handshake pairs in test_ibss_rsn
The handshake between STA2 and STA1 was not tracked previously. For
completeness, include that in the list of handshakes that are explicitly
waited for to complete prior to starting the connectivity tests. Since
all key setup should be done at this point, remove the extra wait before
the last connectivity test between STA1 and STA2.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-27 02:02:28 +03:00
Jouni Malinen
853b49a030 tests: Increase test_ap_wps_init connection timeout
It looks like there may not be enough time to complete this test case in
15 seconds under valgrind on a virtual host every time, so increase the
timeout to 30 seconds to get more consistent test results.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-26 16:54:05 +03:00
Jouni Malinen
b76579e0c0 tests: Wait for hostapd/wpa_supplicant to reply at start
Instead of waiting for a fixed duration, poll hostapd/wpa_supplicant
through the control interface until they are ready to reply in order to
avoid starting test case execution too early.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-26 16:47:15 +03:00
Jouni Malinen
9e88556a1c tests: Kill hostapd/wpa_supplicant more forcefully if needed
Try to make sure new testing can be started by forcing
hostapd/wpa_supplicant to be killed with SIGKILL if needed. In addition,
wait a bit longer when killing the processes to avoid issues with the
next test run starting before the old one has been fully terminated.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-26 16:38:13 +03:00
Jouni Malinen
28de68ae56 P2P: Update peer operating channel from GO Negotiation Confirm
If the device that sends the GO Negotiation Confirm becomes the GO, it
may change its operating channel preference between GO Negotiation
Request and Confirm messages based on the channel list received from us.
Previously, the peer operating channel preference was not updated in
such a case and this could result in the initial scans after GO
Negotiation using incorrect operating channel and as such, extra delay
in the connection process. Fix this by updating the operating channel
information from GO Negotiation Confirm in cases where the peer becomes
the GO.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-08-26 14:16:31 +03:00
Jouni Malinen
6701fdc37f P2P: Use the first pref_chan entry as operating channel preference
If there are no higher priority preference for the operating channel,
use the first pref_chan entry as the operating channel preference over
the pre-configured channel which is not really a good indication of
preference. This changes the behavior for GO Negotiation Request frame
operating channel preference value in cases where p2p_pref_chan list is
set.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-08-26 14:10:23 +03:00
Jouni Malinen
99d7c76294 P2P: Add more debug info on operating channel selection
Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-08-26 14:08:03 +03:00
Jouni Malinen
8d660e04e9 P2P: Add GO negotiation results into the P2P-GO-NEG-SUCCESS event
This provides status information about the negotiated group to
wpa_supplicant control interface monitors during group formation in a
form that is easier to use than having to fetch the information
separately.

Signed-hostap: Jouni Malinen <jouni@qca.qualcomm.com>
2013-08-26 13:35:44 +03:00
Jouni Malinen
2c6f8cf6c8 Replace perror() with wpa_printf(strerror) in ctrl_iface calls
This replaces number of perror() calls with wpa_printf() to get the
error messages embedded within rest of the debug messages in the same
stream instead of pushing these to stderr which may get directed to
another location.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-26 11:46:21 +03:00
Jouni Malinen
024913a156 tests: Stop valgrind.bin regardless of which option is started
The previous design of having to provide valgrind parameter to
stop-wifi.sh did not work since the new test setup may no match the
previous one. Instead of trying to figure out what needs to be stopped
based on previous run, stop all wpa_supplicant/hostapd processes running
under valgrind unconditionally to avoid cases where new set of processes
cannot be started due to existing processed.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-26 11:28:32 +03:00
Jouni Malinen
e5a3983819 tests: Use more enforced order for the RSN IBSS steps
test_ibss_rsn has been failing pretty frequently due to various issues
in getting all connections up. Try to address this initially by avoiding
concurrent operations and explicitly waiting for 4-way handshake
completion before testing data connection. Once this test case is
workign more robustly, a more difficult case with concurrent operations
can be added as a separate test case.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-25 23:10:37 +03:00
Jouni Malinen
e743db4309 IBSS RSN: Add IBSS-RSN-COMPLETED event message
This new control interface event message is used to indicate when
both 4-way handshakes have been completed with a new IBSS peer.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-25 23:09:22 +03:00
Jouni Malinen
433107f0a2 tests: Silence wlantest clear_tdls_counters output from stdout
This removes unnecessary "OK" lines from test logs.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-25 21:48:51 +03:00
Jouni Malinen
be1a40f26f tests: Redirect tcpdump output to a file
Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-25 21:43:21 +03:00
Jouni Malinen
4c559019bd P2P: Add state info to global STATUS command
This can be used for debugging purposes to see what the current P2P
module state is.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-25 21:02:12 +03:00
Jouni Malinen
ae8c27f79d Add STATUS command to global control interface
This provides global status information that is applicable to all
interfaces (e.g., P2P state). In addition, ifname/address pairs are
listed to get information of all the interfaces that are currently
managed through this wpa_supplicant instance.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-25 20:53:58 +03:00
Jouni Malinen
42868f1486 Add SAVE_CONFIG command to global control interface
This iterates through all interfaces and saves configuration file
updates for each interface that allows it (update_config=1).

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-25 20:41:39 +03:00
Jouni Malinen
1b9b31c153 Add SET command for global control interface
This allows global parameters to be set through the global control
interface without having to use IFNAME prefix. For now, this covers
only the wifi_display parameter.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-25 20:35:19 +03:00
Jouni Malinen
c548fb27c8 tests: Save debug log to a file and clean up stdout status
This makes it easier to figure out what failed and allows builbot to
integrate multiple logs and state information about the test cases.

Signed-hostap: Jouni Malinen <j@w1.fi>
2013-08-25 20:15:54 +03:00