Jouni Malinen [Fri, 28 Nov 2014 17:44:58 +0000 (19:44 +0200)]
proxyarp: Relax frame length limit for RA and NA
Only the NS frames should be checked to be long enough to cover all the
fields used in the NS data structure. This allows shorter RA and NA
frames to be processed for multicast-to-unicast rules.
Jouni Malinen [Fri, 28 Nov 2014 17:27:07 +0000 (19:27 +0200)]
proxyarp: Add debug log entry on multicast-to-unicast conversion
This makes it easier to debug operations. The debug message is marked
EXCESSIVE, though, to avoid filling the logs with too much information
in default debugging cases.
Jouni Malinen [Fri, 28 Nov 2014 17:26:11 +0000 (19:26 +0200)]
Add DATA_TEST_FRAME for testing Data frame processing on AP side
The new hostapd control interface command can be used in automated
testing to verify how AP processes Data frames with arbitrary contents.
This is enabled only in builds with CONFIG_TESTING_OPTIONS=y.
Jouni Malinen [Fri, 28 Nov 2014 16:36:40 +0000 (18:36 +0200)]
proxyarp: Try multicast-to-unicast conversion only for authorized STAs
There is no point in trying to send the unicast converted version to a
STA that is not in authorized state since the driver would be expected
to drop normal TX Data frames in such state.
Jouni Malinen [Thu, 27 Nov 2014 21:53:22 +0000 (23:53 +0200)]
tests: Convert proxyarp tests to use DATA_TEST_FRAME
This is more robust and extensible than configuring IPv6 addresses on
the interfaces and trying to use ping6 or some other external tools to
generate suitable IPv6 frames.
Jouni Malinen [Thu, 27 Nov 2014 21:51:46 +0000 (23:51 +0200)]
Add DATA_TEST_FRAME for testing Data frame processing
The new wpa_supplicant control interface command can be used in
automated testing to verify how AP processes Data frames with arbitrary
contents. This is enabled only in builds with CONFIG_TESTING_OPTIONS=y.
Jouni Malinen [Thu, 27 Nov 2014 19:22:31 +0000 (21:22 +0200)]
tests: Make p2p_msg_invitation_req_to_go more robust
Wait for GO to start before sending invitation frames in the protocol
test. Without this, it was possible to hit the 5 second timeout on
management frame RX under load.
Jouni Malinen [Thu, 27 Nov 2014 19:06:18 +0000 (21:06 +0200)]
tests: Make go_neg_with_bss_connected more robust
It was possible for this test case to fail due to PBC overlap that was
detected based on previous test case having used PBC. Make that false
positive less likely to happen by explicitly clearing the scan cache on
the devices.
Jouni Malinen [Thu, 27 Nov 2014 18:33:35 +0000 (20:33 +0200)]
tests: Make ap_wps_reg_config_tkip failure log more helpful
The "Not fully connected" report did not clearly identify what went
wrong, so make this more verbose in hope of being able to determine what
happened should this test case fail again.
Jouni Malinen [Thu, 27 Nov 2014 18:30:07 +0000 (20:30 +0200)]
tests: Increase WPS connection timeout to make tests more robust
It was possible to hit the 10 second timeout in some test cases under
heavy load (e.g., with large number of VMs running tests in parallel).
These timeouts are not really indicating any real error, so make them
less likely to show up in reports by increasing the connection timeout
to 30 seconds.
Jouni Malinen [Thu, 27 Nov 2014 18:08:15 +0000 (20:08 +0200)]
tests: Optimize run-tests.py --prefill-tests startup time
It took significant part of the startup latency to prefill the database
with test cases due to the SQL COMMIT operation between each added row.
Move COMMIT to outside the loop to speed startup significantly.
Jouni Malinen [Thu, 27 Nov 2014 17:48:41 +0000 (19:48 +0200)]
tests: Follow test sequence from run-tests.py command line
It can be useful to specify an exact order of test cases and also to
allow the same test case to be run multiple times when the list of tests
is provided on the command line.
Jouni Malinen [Thu, 27 Nov 2014 17:00:02 +0000 (19:00 +0200)]
WMM AC: Fix memory leak on deinit without disassoc event
It was possible for wmm_ac_deinit() not getting called when an interface
was removed in a sequence where disassociation was not reported and
wmm_ac_notify_disassoc() did not get called. This resulted in leaking
whatever memory was allocated for WMM AC parameters. Fix that by calling
wmm_ac_notify_disassoc() from wpa_supplicant_cleanup().
Johannes Berg [Thu, 27 Nov 2014 15:13:57 +0000 (16:13 +0100)]
tests: Use tshark -Y instead of tshark -R
Newer versions of tshark don't like the -R (read filter) argument
for filtering and just show a deprecation warning. Use -Y (display
filter) instead, which hopefully also works on older versions.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Rashmi Ramanna [Wed, 26 Nov 2014 15:53:55 +0000 (21:23 +0530)]
P2P: Reinvite with social operation channel if no common channels
If invitation to reinvoke a persistent group from the GO fails with the
peer indicating that there are no common channels, there is no defined
means for the peer to indicate which channel could have worked. Since
this type of issue with available channels changing over time can
happen, try to work around this by retrying invitation using one of the
social channels as the operating channel unless a specific operating
channel was forced for the group.
Jouni Malinen [Thu, 27 Nov 2014 15:41:02 +0000 (17:41 +0200)]
Clear scan_req to NORMAL_SCAN_REQ for connection attempt
This is needed to fix some sequencies where a real scan in ap_scan=2
case would be issued even when the connection case would expect direct
connection without a scan.
This fixed an issue shown in hwsim test case autoscan_exponential
followed by ibss_open_fixed_bssid.
Jouni Malinen [Thu, 27 Nov 2014 14:39:14 +0000 (16:39 +0200)]
nl80211: Change iftype to station on leaving mesh
This is needed to make following operations behave as expected since
mesh iftypes may prevent various operations (e.g., registering Probe
Request frame RX). Use same design as leave_ibss does to handle this
consistently.
Jouni Malinen [Thu, 27 Nov 2014 12:59:28 +0000 (14:59 +0200)]
nl80211: Clear ignore_if_down_event if interface is up
It was possible for the ignore_if_down_event flag to remain set in some
cases where interface mode change required the interface to be set down
temporarily. If that happened, the following rfkill interface down could
have been ignored and device could have been left trying to scan or
connect (which would all fail due to the interface beign down). Clean
this up by clearing the ignore_if_down_event flag on the interface down
event regardless of whether the interface is up at the time this event
is processed.
Jouni Malinen [Thu, 27 Nov 2014 12:04:51 +0000 (14:04 +0200)]
tests: Replace last remaining hwsim_test uses with DATA_TEST
External tool is not needed anymore to run the data connectivity tests
since hostapd test mode now allows the possible bridge or VLAN interface
to be specified.
Jouni Malinen [Tue, 25 Nov 2014 23:14:41 +0000 (01:14 +0200)]
nl80211: Fix br_ifindex storing when hostapd creates the bridge
Commit 6c6678e7a456d4af58a2bf24ec8f15fb8b8b24ef ('nl80211: Make
br_ifindex available in i802_bss') did not cover the case where
i802_check_bridge() ends up creating the bridge interface. That left
bss->br_ifindex zero and prevented neighbor addition. Extend that
functionality to update br_ifindex once the bridge netdev has been
added.
Jouni Malinen [Tue, 25 Nov 2014 23:05:24 +0000 (01:05 +0200)]
proxyarp: Fix DHCP and ND message structures
These need to be marked packed to avoid issues with compilers
potentially adding padding between the fields (e.g., gcc on 64-bit
seemed to make struct icmpv6_ndmsg two octets too long which broke IPv6
address discovery).
Neelansh Mittal [Tue, 25 Nov 2014 10:11:28 +0000 (15:41 +0530)]
Do not re-open Android control sockets
On Android, the control socket being used may be the socket that is
created when wpa_supplicant is started as a /init.*.rc service. Such a
socket is maintained as a key-value pair in Android's environment.
Closing this control socket would leave wpa_supplicant in a bad state.
When wpa_supplicant re-opens the ctrl_iface socket, it will query the
Android's environment, and will be returned with the same socket
descriptor that has already been closed.
Jouni Malinen [Tue, 25 Nov 2014 14:58:21 +0000 (16:58 +0200)]
proxyarp: Use C library header files and CONFIG_IPV6
This replaces the use of Linux kernel header files (linux/ip.h,
linux/udp.h, linux/ipv6.h, and linux/icmpv6.h) with equivalent header
files from C library. In addition, ndisc_snoop.c is now built
conditionally on CONFIG_IPV6=y so that it is easier to handle hostapd
builds with toolchains that do not support IPv6 even if Hotspot 2.0 is
enabled in the build.
Masashi Honma [Tue, 25 Nov 2014 02:04:41 +0000 (11:04 +0900)]
SAE: Fix Anti-Clogging Token request frame format
This commit inserts Finite Cyclic Group to Anti-Clogging Token request
frame because IEEE Std 802.11-2012, Table 8-29 says "Finite Cyclic Group
is present if Status is zero or 76".
Jouni Malinen [Tue, 25 Nov 2014 13:19:19 +0000 (15:19 +0200)]
tests: Clear sae_groups to default value in forgotten cases
It was possible for some of the SAE test cases (e.g., ap_ft_sae) to fail
if they were run after the sae_groups test case that left the SAE group
configuration to a value that is not enabled by default. Fix this by
clearing sae_groups setting in the couple of test cases that were not
yet doing this.
Jouni Malinen [Sun, 23 Nov 2014 19:08:13 +0000 (21:08 +0200)]
WPA: Use more explicit WPA/RSN selector count validation
Some static analyzers had problems understanding "left < count * len"
(CID 62855, CID 62856), so convert this to equivalent "count > left /
len" (len here is fixed to 4, so this can be done efficiently).
Jouni Malinen [Sun, 23 Nov 2014 18:57:34 +0000 (20:57 +0200)]
WPS: Add explicit message length limit of 50000 bytes
Previously, this was implicitly limited by the 16-bit length field to
65535. This resulted in unhelpful static analyzer warnings (CID 62868).
Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid
this. The actual WSC messages are significantly shorter in practice, but
there is no specific protocol limit, so 50000 is as good as any limit to
use here.
Jouni Malinen [Sun, 23 Nov 2014 18:51:26 +0000 (20:51 +0200)]
PeerKey: Clean up EAPOL-Key Key Data processing on AP
This extends the earlier PeerKey station side design to be used on the
AP side as well by passing pointer and already validated length from the
caller rather than parsing the length again from the frame buffer. This
avoids false warnings from static analyzer (CID 62870, CID 62871,
CID 62872).
Jouni Malinen [Sun, 23 Nov 2014 18:39:52 +0000 (20:39 +0200)]
EAP-IKEv2: Make proposal_len validation clearer
Some static analyzers seem to have issues understanding "pos +
proposal_len > end" style validation, so convert this to "proposal_len >
end - pos" to make this more obvious to be bounds checking for
proposal_len. (CID 62874)
Jouni Malinen [Sun, 23 Nov 2014 18:36:17 +0000 (20:36 +0200)]
EAP-FAST: Make PAC file A_ID parser easier to analyze
Some static analyzers seem to have issues with "pos + len > end"
validation (CID 62875), so convert this to "len > end - pos" to make it
more obvious that len is validated against its bounds.
Jouni Malinen [Sun, 23 Nov 2014 18:31:08 +0000 (20:31 +0200)]
EAP-FAST: Clean up binary PAC file parser validation steps
This was too difficult for some static analyzers (CID 62876). In
addition, the pac_info_len assignment should really have explicitly
validated that there is room for the two octet length field instead of
trusting the following validation step to handle both this and the
actual pac_info_len bounds checking.
Jouni Malinen [Sun, 23 Nov 2014 18:23:35 +0000 (20:23 +0200)]
radiotap: Initialize all members in ieee80211_radiotap_iterator_init()
_next_ns_data could look like it would be used uninitialized in
ieee80211_radiotap_iterator_next() to static analyzers. Avoid
unnecessary reports by explicitly initializing all variables in struct
ieee80211_radiotap_iterator. (CID 62878)
Jouni Malinen [Sun, 23 Nov 2014 18:04:29 +0000 (20:04 +0200)]
HS 2.0: Clarify OSU Server URI length validation
The previous version was valid, but apparently too complex for some
static analyzers. Use a local variable for uri_len and explicitly
compare it against the remaining buffer length. (CID 68121)
Jouni Malinen [Sun, 23 Nov 2014 16:43:59 +0000 (18:43 +0200)]
Use more explicit num_pmkid validation in RSN IE parsing
Static analyzers may not have understood the bounds checking on
data->num_pmkid. Use a local, temporary variable and validate that that
value is within length limits before assining this to data->num_pmkid to
make this clearer. (CID 62857, CID 68126)
Jouni Malinen [Sun, 23 Nov 2014 16:32:04 +0000 (18:32 +0200)]
PCSC: Use clearer file TLV length validation step
This makes it easier for static analyzer to confirm that the length
field bounds are checked. WPA_GET_BE16() is also used instead of
explicit byte-swapping operations in this file. (CID 68129)
Jouni Malinen [Sun, 23 Nov 2014 15:48:34 +0000 (17:48 +0200)]
TLS client: Check DH parameters using a local variable
Use a temporary, local variable to check the DH parameters received from
the server before assigning the length to the struct tlsv1_client
variables. This will hopefully make it easier for static analyzers to
figure out that there is bounds checking for the value. (CID 72699)
Jouni Malinen [Sun, 23 Nov 2014 15:06:24 +0000 (17:06 +0200)]
RADIUS client: Print a clear debug log entry if socket is not available
It could have been possible to select a socket that is not open
(sel_sock == -1) and try to use that in socket operations. This would
fail with potentially confusing error messages. Make this clearer by
printing a clear debug log entry on socket not being available.
(CID 72696)
Jouni Malinen [Sun, 23 Nov 2014 14:37:16 +0000 (16:37 +0200)]
IKEv2: Use a bit clearer payload header validation step
It looks like the "pos + plen > end" case was not clear enough for a
static analyzer to figure out that plen was being verified to not go
beyond the buffer. (CID 72687)
Send link measurement response when a request is received. Advertise
only RCPI, computing it from the RSSI of the request. The TX power field
is left to be filled by the driver. All other fields are not published.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Assaf Krauss [Wed, 5 Nov 2014 08:42:51 +0000 (03:42 -0500)]
wpa_supplicant: Add NEIGHBOR_REP_REQUEST command to the control interface
Add NEIGHBOR_REP_REQUEST command to the wpa_supplicant ctrl_iface.
This command triggers the sending of a Neighbor Report Request to the
associated AP.
Assaf Krauss [Wed, 5 Nov 2014 08:42:48 +0000 (03:42 -0500)]
SME: Add RRM support to association request
In case the AP we are associating with advertises support for RRM,
advertise our own RRM support in the (Re)Association Request frame. This
is done by adding an RRM Capabilities IE. The underlying driver is
expected to further add a Power Capabilities IE to the request, and set
the Radio Measurement flag in the Capability Info field. At this point
the RRM Capabilities IE advertises no measurement support.
Assaf Krauss [Wed, 5 Nov 2014 08:42:45 +0000 (03:42 -0500)]
driver: Add RRM-related definitions to driver interface
Add definitions for RRM (Radio Resource Measurement) support:
1. Flags that specify the RRM capabilities of the underlying driver
2. Flag for RRM in Capability Info field in Management frames
3. Indication in association parameters regarding an RRM connection
Jouni Malinen [Sat, 22 Nov 2014 18:12:12 +0000 (20:12 +0200)]
WNM: Use recent scan results on BSS transition request
If the last scans are recent (for now, less than ten seconds old), use
them instead of triggering a new scan when a BSS Transition Management
Request frame is received. As a fallback, allow a new scan to be
triggered if no matches were found.
Jouni Malinen [Sat, 22 Nov 2014 17:50:16 +0000 (19:50 +0200)]
WNM: Optimize BSS transition management scans
When the list of preferred transition candidates is received, use the
identified channels to optimize the following scan so that no time is
wasted on other channels.
Jouni Malinen [Sat, 22 Nov 2014 17:48:08 +0000 (19:48 +0200)]
Add generic operating class and channel to frequency function
ieee80211_chan_to_freq() is a generic function that replaces and extends
the previous P2P-specific p2p_channel_to_freq(). The new function
supports both the global operating class table as well as the additional
US, EU, JP, and CN operating class tables.
Jouni Malinen [Sat, 22 Nov 2014 16:28:22 +0000 (18:28 +0200)]
tests: Fix wnm_bss_tm_req status code expectation
The implementation of WNM BSS transition management was extended to be
able to return a reject status code based on whether a matching entry is
found. The test case wnm_bss_tm_req was trying to enforce a different
status code to be used here based on old implementation.
Jouni Malinen [Sat, 22 Nov 2014 15:01:26 +0000 (17:01 +0200)]
WNM: Allow BSS transition request in same ESS even if RSSI is worse
This allows an AP to steer us to another BSS within the ESS even if that
results in reduced signal strength as long as the signal strength with
the target BSS is expected to provide some connectivity.
Jouni Malinen [Sat, 22 Nov 2014 13:37:27 +0000 (15:37 +0200)]
WNM: Simplify how candidate subelements are stored
There is no need to use a separately allocated data structures for this.
A bitfield indicating which information is present and variables within
struct neighbor_report are simpler to use and more efficient.
This implements minimal RSN 4-way handshake Supplicant in Python and
uses that to test hostapd Authenticator implementation in various
possible protocol sequencies.
Jouni Malinen [Fri, 21 Nov 2014 15:02:00 +0000 (17:02 +0200)]
AP: Extend EAPOL-Key msg 1/4 retry workaround for changing SNonce
If the 4-way handshake ends up having to retransmit the EAPOL-Key
message 1/4 due to a timeout on waiting for the response, it is possible
for the Supplicant to change SNonce between the first and second
EAPOL-Key message 2/4. This is not really desirable due to extra
complexities it causes on the Authenticator side, but some deployed
stations are doing this.
This message sequence looks like this:
AP->STA: EAPOL-Key 1/4 (replay counter 1, ANonce)
AP->STA: EAPOL-Key 1/4 (replay counter 2, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 1, SNonce 1)
AP->STA: EAPOL-Key 3/4 (replay counter 3, ANonce)
STA->AP: EAPOL-Key 2/4 (replay counter 2, SNonce 2)
followed by either:
STA->AP: EAPOL-Key 4/4 (replay counter 3 using PTK from SNonce 1)
or:
AP->STA: EAPOL-Key 3/4 (replay counter 4, ANonce)
STA->AP: EAPOL-Key 4/4 (replay counter 4, using PTK from SNonce 2)
Previously, Authenticator implementation was able to handle the cases
where SNonce 1 and SNonce 2 were identifical (i.e., Supplicant did not
update SNonce which is the wpa_supplicant behavior) and where PTK
derived using SNonce 2 was used in EAPOL-Key 4/4. However, the case of
using PTK from SNonce 1 was rejected ("WPA: received EAPOL-Key 4/4
Pairwise with unexpected replay counter" since EAPOL-Key 3/4 TX and
following second EAPOL-Key 2/4 invalidated the Replay Counter that was
used previously with the first SNonce).
This commit extends the AP/Authenticator workaround to keep both SNonce
values in memory if two EAPOL-Key 2/4 messages are received with
different SNonce values. The following EAPOL-Key 4/4 message is then
accepted whether the MIC has been calculated with the latest SNonce (the
previously existing behavior) or with the earlier SNonce (the new
extension). This makes 4-way handshake more robust with stations that
update SNonce for each transmitted EAPOL-Key 2/4 message in cases where
EAPOL-Key message 1/4 needs to be retransmitted.
projects / thirdparty / hostap.git / log
