Jouni Malinen [Thu, 14 Feb 2019 20:24:16 +0000 (22:24 +0200)]
Indicate wifi_generation in wpa_supplicant STATUS output
This adds a wifi_generation=4/5/6 line to the STATUS output if the
driver reports (Re)Association Request frame and (Re)Association
Response frame information elements in the association or connection
event. Only the generations 4 (HT = 802.11n), 5 (VHT = 802.11ac), and 6
(HE = 802.11ax) are reported.
Jouni Malinen [Thu, 14 Feb 2019 20:01:20 +0000 (22:01 +0200)]
nl80211: (Re)Association Request frame IEs from association event
Process NL80211_ATTR_REQ_IE from the NL80211_CMD_ASSOCIATE event to
allow request IEs to be made available for the SME-in-wpa_supplicant
case similarly to how this is done with SME-in-driver with
NL80211_CMD_CONNECT.
Jouni Malinen [Fri, 15 Feb 2019 00:06:46 +0000 (02:06 +0200)]
tests: ap_wpa_ie_parsing to allow EAPOL-Key msg 2/4 rejection
Once mac80211 starts reporting the used Association Request frame IEs in
the association event, wpa_supplicant will update RSN supplicant IE
information based on that and that will make the AP reject EAPOL-Key msg
2/4 in this particular test scenario due to the hack of including two
RSN IEs in the Association Request frame. Accept this sequence as a
valid test execution in addition to the previously expected connection
to avoid reporting incorrect failures.
Jouni Malinen [Thu, 14 Feb 2019 11:34:33 +0000 (13:34 +0200)]
VLAN assignment based on used WPA/WPA2 passphrase/PSK
Extend wpa_psk_file to allow an optional VLAN ID to be specified with
"vlanid=<VLAN ID>" prefix on the line. If VLAN ID is specified and the
particular wpa_psk_file entry is used for a station, that station is
bound to the specified VLAN. This can be used to operate a single
WPA2-Personal BSS with multiple VLANs based on the used passphrase/PSK.
This is similar to the WPA2-Enterprise case where the RADIUS server can
assign stations to different VLANs.
Jouni Malinen [Thu, 14 Feb 2019 10:09:09 +0000 (12:09 +0200)]
HS 2.0 server: Add X-WFA-Hotspot20-Filtering header line to T&C
When filtering is successfully disabled at the end of the terms and
conditions acceptance sequence, add the "X-WFA-Hotspot20-Filtering:
remove" header line to the HTTP response.
Jouni Malinen [Mon, 11 Feb 2019 23:16:13 +0000 (01:16 +0200)]
HE: Fix set_he_cap() parsing of config options for MU EDCA Params
When I replaced the POS() function with ffs() when applying relevant
parts from the original patch, this ended up breaking the frame
construction since the POS() function was supposed to count the bit
offset for the mask with 0 being the LSB instead of 1 returned by ffs().
Furthermore, ffs() is not available in all C libraries (e.g., not
directly exposed by strings.h on Android), so better not depend on that
or compiler builtins for this since there is no need for this to be as
fast as possible in configuration parsing.
Fix this with a simple function to determine the number of bits the
value needs to be shifted left to align with the mask.
Fixes: 11ce7a1bc3e2 ("HE: Add MU EDCA Parameter Set element (AP)") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Mon, 11 Feb 2019 15:37:08 +0000 (17:37 +0200)]
Do not disassociate not-associated STA on timeout
If the ap_handle_timer() timeout is reached for a not-associated STA, do
not default to disassociating that STA first since Disassociation frame
is not really appropriate to send to a STA that is not in associated
state. Instead, skip directly to deauthentication and STA entry removal.
Johannes Berg [Fri, 8 Feb 2019 16:57:48 +0000 (17:57 +0100)]
common: Add strongly typed element iteration macros
Rather than always iterating elements from frames with pure
u8 pointers, add a type "struct element" that encapsulates
the id/datalen/data format of them.
Then, add the element iteration macros
* for_each_element
* for_each_element_id
* for_each_element_extid
which take, as their first 'argument', such a structure and
iterate through a given u8 array interpreting it as elements.
While at it also add
* for_each_subelement
* for_each_subelement_id
* for_each_subelement_extid
which instead of taking data/length just take an outer element
and use its data/datalen.
Also add for_each_element_completed() to determine if any of
the loops above completed, i.e., it was able to parse all of
the elements successfully and no data remained.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Sun, 10 Feb 2019 15:55:42 +0000 (17:55 +0200)]
tests: Fix wnm-fuzzer by adding dummy configuration
Some of the WNM implementation expects configuration to be available
(e.g., ieee802_!1_rx_wnm_coloc_intf_req() dereferences wpa_s->conf), so
add a dummy configuration to allow the fuzzer tool to be used.
Jouni Malinen [Sun, 10 Feb 2019 15:02:49 +0000 (17:02 +0200)]
tests: EAPOL-Key fuzzing tool
Add test-eapol program that can be used for fuzzing the EAPOL-Key
Supplicant and Authenticator implementations. This tool can write
Supplicant or Authenticator messages into a file as an initialization
step and for the fuzzing step, that file (with potential modifications)
can be used to replace the internally generated message contents.
The TEST_FUZZ=y build parameter is used to make a special build where a
hardcoded random number generator and hardcoded timestamp are used to
force deterministic behavior for the EAPOL-Key operations. This will
also make the implementation ignore Key MIC and AES keywrap errors to
allow processing of modified messages to continue further.
Jouni Malinen [Sun, 10 Feb 2019 11:41:10 +0000 (13:41 +0200)]
RSN: Do not start preauthentication timer without candidates
There is no need to schedule the postponed RSN preauthentication start
if there are no candidates. Avoid wasting eloop resources for this.
This is most useful for fuzz testing of the 4-way handshake
implementation to avoid getting stuck waiting for this unnecessary one
second time when using eloop to coordinate the Authenticator and
Supplicant state machines.
Jouni Malinen [Sat, 9 Feb 2019 23:51:51 +0000 (01:51 +0200)]
TLS: Fix X.509 certificate name conversion into empty string
If none of the supported name attributes are present, the name string
was nul terminated only at the end. Add an explicit nul termination at
the end of the last written (or beginning of the buffer, if nothing is
written) to avoid writing uninitialized data to debug log.
Jouni Malinen [Sat, 9 Feb 2019 23:34:24 +0000 (01:34 +0200)]
TLS: Fix ASN.1 parsing with no room for the header
Explicitly check the remaining buffer length before trying to read the
ASN.1 header values. Attempt to parse an ASN.1 header when there was not
enough buffer room for it would have started by reading one or two
octets beyond the end of the buffer before reporting invalid data at the
following explicit check for buffer room.
Jouni Malinen [Sat, 9 Feb 2019 23:08:07 +0000 (01:08 +0200)]
TLS: Fix AlertDescription for missing partial processing case
tlsv1_record_receive() did not return error here and as such, &alert was
not set and must not be used. Report internal error instead to avoid use
of uninitialized memory.
Jouni Malinen [Sat, 9 Feb 2019 19:07:24 +0000 (21:07 +0200)]
tests: TLS fuzzing tool
Add test-tls program that can be used for fuzzing the internal TLS
client and server implementations. This tool can write client or server
messages into a file as an initialization step and for the fuzzing step,
that file (with potential modifications) can be used to replace the
internally generated message contents.
The TEST_FUZZ=y build parameter is used to make a special build where a
hardcoded random number generator and hardcoded timestamp are used to
force deterministic behavior for the TLS operations.
Jouni Malinen [Sat, 9 Feb 2019 14:10:47 +0000 (16:10 +0200)]
TLS client: Fix peer certificate event checking for probing
conn->cred might be NULL here, so check for that explicitly before
checking whether conn->cred->cert_probe is set. This fixes a potential
NULL pointer dereference when going through peer certificates with
event_cb functionality enabled.
Masashi Honma [Fri, 8 Feb 2019 22:51:07 +0000 (07:51 +0900)]
tests: Change handling of reading non blocked empty stream for python3
The result of reading non blocked empty stream is different between
python2 and 3. The python2 sends "[Errno 11] Resource temporarily
unavailable" exception. The python3 could read "None" without
exception, so handle this "None" case as well.
Jouni Malinen [Sat, 9 Feb 2019 22:06:26 +0000 (00:06 +0200)]
nl80211: Use wpa_ssid_txt() for debug messages more consistently
Print the SSID with printf escaping instead of wpa_hexdump_ascii()
format to clean up the debug log a bit. This was already done for number
of SSID debug prints.
P2P: Update find_start timer only when p2p_scan is started.
p2p->find_start timer was updated on each p2p_find call irrespective of
p2p_find being successful/failed/rejected. For cases where p2p_find was
in progress/pending, another call to p2p_find would be rejected but
p2p->find_start timer would still be updated.
p2p->find_start is maintained in wpa_supplicant to reject the kernel
scan entries before the p2p->find_start time. In above scenario, some of
the scan entries could be discarded even if the Probe Respons frame(s)
were received during the last scan/p2p_find.
This commit changes this to update the p2p->find_start timer only when
call to p2p_find is successful, i.e., a new scan is actually started.
Jouni Malinen [Thu, 31 Jan 2019 10:54:33 +0000 (12:54 +0200)]
HS 2.0: Update the T&C Acceptance subtype value
The previously used value 2 was already assigned for another purpose
(MBO non-preferred channel report), so the newer T&C Acceptable
definition needs to be updated with a unique value.
Johannes Berg [Sat, 2 Feb 2019 22:38:35 +0000 (23:38 +0100)]
tests: Make /etc/alternatives work in VM
In recent Debian versions, ebtables is an alias managed by
the alternatives(8) mechanism. This means /usr/sbin/ebtables
is a symlink to /etc/alternatives/ebtables, which in turn
links to the real binary.
As we mount a tmpfs over /etc, we cannot access this.
Fix this by bind-mounting the real /etc to /tmp/etc and
adding a symlink from /etc/alternatives to this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Sat, 2 Feb 2019 22:16:07 +0000 (23:16 +0100)]
tests: Add sigma_dut to .gitignore
Evidently this file must exist when running the sigma_dut
dependent tests, add it to .gitignore so it's not seen as
making the tree "unclean" when it is added manually.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Sat, 2 Feb 2019 22:16:03 +0000 (23:16 +0100)]
tests: Add test reconnecting on assoc failure
Add a test that drops the authentication frame, so that
hostapd thinks the station is unknown, and then sends one
by itself, so the station thinks it's associated. This
tests mostly the kernel's capability to recover from this
scenario.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Tue, 5 Feb 2019 18:36:28 +0000 (20:36 +0200)]
nl80211: Clear PMKID add command message buffer
This command has now been extended to include PMK for offload needs, so
the message buffer needs to be cleared explicitly after use to avoid
leaving such material in heap memory unnecessarily.
Fixes: 061a3d3d5300 ("nl80211: Add support for FILS Cache Identifier in add/remove_pmkid()") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Tue, 5 Feb 2019 18:34:34 +0000 (20:34 +0200)]
nl80211: Clear connect command message buffer
This command can include keys (WEP or PSK for offload), so the message
buffer needs to be cleared explicitly after use to avoid leaving such
material in heap memory unnecessarily.
Jouni Malinen [Tue, 5 Feb 2019 18:30:08 +0000 (20:30 +0200)]
nl80211: Request kernel to trim off payload of netlink requests from acks
We do not need such payload in the acknowledgment, so adding it uses
resources unnecessarily. Furthermore, the original request can include
key material (e.g., NL80211_ATTR_PMK). libnl does not explicitly clear
this received message buffer and it would be inconvenient for
wpa_supplicant/hostapd to try to clear it with the current libnl design
where a duplicated buffer is actually passed to the callback. This means
that keys might be left unnecessarily in heap memory. Avoid this by
requesting the kernel not to copy back the request payload.
Jouni Malinen [Tue, 5 Feb 2019 18:26:50 +0000 (20:26 +0200)]
EAP peer: Clear temporary message buffers before freeing
These buffers in TLS-based EAP methods might contain keys or password
(e.g., when using TTLS-PAP or PEAP-GTC), so clear them explicitly to
avoid leaving such material into heap memory unnecessarily.
Jouni Malinen [Tue, 5 Feb 2019 18:25:21 +0000 (20:25 +0200)]
Clear config item writing buffer before freeing it
This buffer may be used to store items like passwords, so better clean
it explicitly to avoid possibility of leaving such items in heap memory
unnecessarily.
Johannes Berg [Tue, 5 Feb 2019 11:26:58 +0000 (12:26 +0100)]
tests: Optionally start telnet server inside VMs
If telnetd is installed and --telnet <port> is passed on the
vm-run.sh command line, start a telnet server (directly connected
to bash, no login) inside the VM(s) to be able to look into them
when something is wrong. Use a user network in qemu with a single
host forward from the specified port for this, listening only on
'localhost'.
Please note that this provides unauthenticated access to the guest
system from anything that can open a TCP connection on the host system.
The guess system does have access to reading all files on the host that
the user account running kvm has access to (and even write access if the
default ROTAG ,readonly parameter is cleared). In other words, this
option should not be used on any multiuser systems where kvm is run
under user accounts that are not dedicated for testing purposes (i.e.,
do not have access to any files that should not be readable to
everyone).
This needs CONFIG_VIRTIO_NET=y in the guest kernel.
For parallel-vm.py, the --telnet argument specifies the base port
and each VM index (0, 1, ...) is added to it.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Tue, 5 Feb 2019 11:26:46 +0000 (12:26 +0100)]
tests: Suppress annoying console reset from VMs
Recently, qemu/seabios grew an annoying console/terminal reset,
which also causes my terminal to be left in a state where long
lines don't work well and less gets confused because of this.
Suppress this by suppressing all output from qemu before a new
magic string printed from inside.sh.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Tue, 5 Feb 2019 00:12:00 +0000 (02:12 +0200)]
tests: Create radio for p2ps_channel_active_go_and_station_different_mcc
Instead of relying on existing configuration (which may conflict
with other tests) and skipping otherwise, create a new radio with
two channels in this test and use it.
Johannes Berg [Sat, 2 Feb 2019 23:04:31 +0000 (00:04 +0100)]
tests: Create radio for p2ps_channel_both_connected_different_mcc
Instead of relying on existing configuration (which may conflict
with other tests) and skipping otherwise, create a new radio with
two channels in this test and use it.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Mon, 4 Feb 2019 17:27:57 +0000 (19:27 +0200)]
tests: Encode Disconnect-Request attributes in sorted order for python3
This is needed to fix issues with dict iteration resulting in different
order of attributes when trying to calculate Message-Authenticator
externally to pyrad.
Jouni Malinen [Mon, 4 Feb 2019 16:26:53 +0000 (18:26 +0200)]
tests: Clean up pyrad test cases for python3 compatibility
All other test cases seem to work, but radius_das_disconnect_time_window
is still failing due to incorrect authenticator or Message-Authenticator
in Disconnect-Request.
Jouni Malinen [Mon, 4 Feb 2019 15:13:54 +0000 (17:13 +0200)]
D-Bus: Fix P2P DeleteService dict iteration
The previous implementation assumed the first entry coming out from the
dict is always service_type. That may not be the case, so properly
iterate over all dict entries in one loop instead of assuming what the
first entry is.
Jouni Malinen [Mon, 4 Feb 2019 14:46:31 +0000 (16:46 +0200)]
tests: Read sigma_dut-ap.conf as binary data for python3 compatibility
Sending UTF-8 encoded data to logger file is currently not working
properly, so create a separate binary file with a copy of
sigma_dut-ap.conf instead to work with both python2 and python3.
Jouni Malinen [Mon, 4 Feb 2019 10:23:45 +0000 (12:23 +0200)]
tests: MAC address ASCII string generation in python3 compatible manner
Use struct.unpack() to get a list of int and then generate a list of
hexstr octets from it for ':'.join() to get consistent behavior for both
python2 and python3.
Jouni Malinen [Sun, 3 Feb 2019 10:24:49 +0000 (12:24 +0200)]
tests: Replace str.translate() with str.replace()
This is needed for python3 since the two argument version of
str.translate() is not available for unicode. Furthermore, these cases
of delete colons from the string are simple enough for replace.