Jouni Malinen [Mon, 29 Dec 2014 11:05:32 +0000 (13:05 +0200)]
Clear wpa_psk memory when setting up wpa_supplicant AP mode
This is more of a theoretical case since this part is done only during
setup and the structure is not allocated in practice. Anyway,
maintaining more consistent use of bin_clear_free() for structures that
may contain keys is useful.
Jouni Malinen [Mon, 29 Dec 2014 11:03:01 +0000 (13:03 +0200)]
Clear TK part of PTK after driver key configuration
There is no need for wpa_supplicant to maintain a copy of the TK part of
PTK after this has been configured to the driver, so clear that from
heap memory and only maintain KEK and KCK during association to allow
additional EAPOL-Key handshakes.
Jouni Malinen [Mon, 29 Dec 2014 11:00:03 +0000 (13:00 +0200)]
Clear temporary keys from WPA supplicant state machine when not needed
PMK and PTK are not needed in the supplicant state machine after
disassociation since core wpa_supplicant will reconfigure them for the
next association. As such, clear these from heap in
wpa_sm_notify_disassoc() to reduce time and number of places storing key
material in memory. In addition, clear FT keys in case of
CONFIG_IEEE80211R=y build (sm->xxkey stored a copy of PSK in case of
FT-PSK).
Jouni Malinen [Mon, 29 Dec 2014 15:22:17 +0000 (17:22 +0200)]
tests: Filter out extra files from codecov reports
wpa_cli and hostapd_cli are not currently tested for code coverage, so
filter the files specific to those components away from the code
coverage reports. *_module_tests.c are not included in normal builds, so
drop them as well. In addition, drop the system header file (byteswap.h)
that gets somehow unnecessarily included in the reports for couple of
lines.
Jouni Malinen [Sun, 28 Dec 2014 17:30:26 +0000 (19:30 +0200)]
doc: Add D-Bus SignalPoll() method
Commit 7a4a93b9593575ffd64ba72739429d98e4b90858 ('dbus: Add SignalPoll()
method to report current signal properties') added this method, but
forgot to document it.
Jouni Malinen [Sun, 28 Dec 2014 16:07:09 +0000 (18:07 +0200)]
doc: Add D-Bus global Capabilities property
This property was added to the fi.w1.wpa_supplicant1 interface in commit 1634ac0654eba8d458640a115efc0a6cde3bac4d ('dbus: Add global capabilities
property'), but documentation was not updated.
Jouni Malinen [Sun, 28 Dec 2014 15:03:18 +0000 (17:03 +0200)]
doc: Fix D-Bus page format with newer Doxygen versions
It looks like the space indentation before the HTML command ended up
being converted to HTML tags getting shown as code text rather than
being used to control formatting. Fix this by removing indentation from
the first line of each HTML segment.
Jouni Malinen [Sat, 27 Dec 2014 20:50:17 +0000 (22:50 +0200)]
D-Bus(old): Fix removeNetwork and selectNetwork error handling
wpas_dbus_decompose_object_path() may leave the network part NULL on
unexpected path. This resulted in NULL pointer dereference when
processing an invalid removeNetwork or selectNetwork call. Fix this by
explicitly verifying that the network part was included in the object
path.
Jouni Malinen [Sat, 27 Dec 2014 19:00:11 +0000 (21:00 +0200)]
D-Bus: Fix P2P persistent group removal from non-D-Bus triggers
It is possible for the persistent group object to be added and removed
by non-D-Bus triggers (e.g., ctrl_iface commands). The add part was
already handled, but removal was not. That resulted in memory leaks when
a P2P persistent group was removed without using an explicit D-Bus
command for this even if the object was added without D-Bus involvement.
Jouni Malinen [Fri, 26 Dec 2014 17:57:24 +0000 (19:57 +0200)]
D-Bus: Fix WPS ConfigMethods getter to handle no value properly
wpas_dbus_simple_property_getter() cannot be used with NULL
DBUS_TYPE_STRING, so replace that with an empty string to handle the
case of no config_methods parameter in the configuration.
Jouni Malinen [Fri, 26 Dec 2014 16:19:36 +0000 (18:19 +0200)]
D-Bus: Fix P2P peer joined/disconnected handlers
It is possible for the peer to be a non-P2P device and as such, for
p2p_dev_addr to be NULL. This resulted in NULL pointer dereference if
D-Bus interface was enabled for the interface when a legacy STA joined a
group.
Jouni Malinen [Sat, 27 Dec 2014 13:37:13 +0000 (15:37 +0200)]
Clear next_scan_freqs on wpa_supplicant FLUSH command
It was possible for old scan state to remain from a previous test case
when an operation like WNM neighbor scan or another-BSS-in-ESS was
started, but stopped at the end of a test case. This could result in
failures, e.g., when running wnm_bss_tm_req followed by scan_setband.
Paul Stewart [Thu, 4 Dec 2014 22:23:35 +0000 (14:23 -0800)]
hostapd: Set stdout line-buffered
If hostapd will use stdout for debugging, set stdout to be line
buffered in case its output is redirected to a file. This allows
incremental output to be viewed immediately instead of at the file
buffering interval.
David Woodhouse [Thu, 18 Dec 2014 15:09:55 +0000 (15:09 +0000)]
OpenSSL: Do not require a PIN for PKCS#11
It isn't mandatory. If we need one and it's not present, the ENGINE will
try asking for it. Make sure it doesn't actually let an OpenSSL UI loose,
since we don't currently capture those.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 18 Dec 2014 15:09:47 +0000 (15:09 +0000)]
OpenSSL: Automatically enable PKCS#11 engine where it's needed
It needs to be available to ENGINE_by_id(), which in my case means it
needs to be /usr/lib64/openssl/engines/libpkcs11.so. But that's a system
packaging issue. If it isn't there, it will fail gracefully enough with:
ENGINE: engine pkcs11 not available [error:25066067:DSO support routines:DLFCN_LOAD:could not load the shared library]
TLS: Failed to set TLS connection parameters
EAP-TLS: Failed to initialize SSL.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 18 Dec 2014 15:09:40 +0000 (15:09 +0000)]
OpenSSL: Load dynamic ENGINE unconditionally
This means that if the PKCS#11 engine is installed in the right place
in the system, it'll automatically be invoked by ENGINE_by_id("pkcs11")
later, and things work without explictly configuring pkcs11_engine_path.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 18 Dec 2014 15:09:32 +0000 (15:09 +0000)]
OpenSSL: Automatically handle PKCS#11 URIs in private_key, ca/client_cert
If these start with "pkcs11:" then they are PKCS#11 URIs. These Just Work
in the normal private_key/ca_cert/client_cert configuration fields when
built with GnuTLS; make it work that way with OpenSSL too.
(Yes, you still need to explicitly set engine=1 and point to the engine,
but I'll work on that next...)
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
David Woodhouse [Thu, 18 Dec 2014 15:09:16 +0000 (15:09 +0000)]
OpenSSL: Allow pkcs11_module_path to be NULL
New versions of engine_pkcs11 will automatically use the system's
p11-kit-proxy.so to make the globally-configured PKCS#11 tokens available
by default. So invoking the engine without an explicit module path is
not an error.
Older engines will fail but gracefully enough, so although it's still an
error in that case there's no need for us to catch it for ourselves.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Jouni Malinen [Thu, 25 Dec 2014 13:30:42 +0000 (15:30 +0200)]
tests: Allow DFS test cases to be skipped
Some of the newer dfs_radar* test cases did not allow hostapd
startup to fail. Since these require relatively recent kernel
support, mark the test cases with skip rather than fail based
on that step failing.
Jouni Malinen [Mon, 29 Dec 2014 13:47:08 +0000 (15:47 +0200)]
tests: Fix --codecov cases to find correct wpa_cli/hostapd_cli
It was possible for the separate builds to not include
wpa_cli/hostapd_cli in the default location. Make sure hostapd_cli gets
built for --codecov cases and update both WPACLI and HAPDCLI paths to
match the alternative location.
Jouni Malinen [Thu, 25 Dec 2014 11:30:54 +0000 (13:30 +0200)]
tests: Verify that hostapd-as-RADIUS-server started
Large number of test cases will fail if hostapd fails to start as the
RADIUS server. To make this more obvious, verify that the RADIUS server
instance is running and do not even start test execution if the setup if
not work properly.
Jouni Malinen [Thu, 25 Dec 2014 11:20:42 +0000 (13:20 +0200)]
tests: Limit number of failed test cases in the curses output
It was possible for the scr.addstr() operations to fail and terminate
parallel-vm.py if the number of failed test cases increased beyond what
fits on the screen.
Jouni Malinen [Wed, 24 Dec 2014 18:46:07 +0000 (20:46 +0200)]
GnuTLS: Get rid of warnings about deprecated typedef names
'_t' suffix for gnutls_session and gnutls_transport_ptr was added in
GnuTLS 1.1.11 over ten years ago and the more recent versions of GnuTLS
have started forcing compiler warnings from the old names. Move to the
new names and don't bother about backwards compatibility with older
versions taken into account how long ago this change happened in GnuTLS.
Jouni Malinen [Wed, 24 Dec 2014 17:23:13 +0000 (19:23 +0200)]
P2P: Fix memory leak on GO startup failure path
Some of the struct hostapd_data variables get initialized with allocated
memory in the P2P GO case even before hapd->started has been set to 1.
As such, hostapd_free_hapd_data() needs to free these even if
!hapd->stated.
Jouni Malinen [Wed, 24 Dec 2014 16:40:25 +0000 (18:40 +0200)]
WPS: Do not indicate PBC overlap for the same BSS
Even if the UUID would have a mismatch, e.g., due to no UUID known for
the target in a new WPS PBC instance, do not indicate PBC session
overlap if the BSSID is same in the two entries. This should not really
happen in normal use cases, but can happen at least in some test
scenarios where the same BSSID is used in consecutive test cases and the
old BSS entry remains in cfg80211 cache.
Jouni Malinen [Wed, 24 Dec 2014 16:32:15 +0000 (18:32 +0200)]
tests: Make p2p_channel test cases more robust
Wait for a CTRL-EVENT-REGDOM-CHANGE even before returning from
set_country() to avoid issues with test operations being executed before
all components have had chance to update their regulatory domain
information. Some of these test cases could fail under heavy load.
Jouni Malinen [Wed, 24 Dec 2014 14:06:37 +0000 (16:06 +0200)]
tests: Process VM stdout output in full lines
Merge partial lines together before processing them in parallel-vm.py.
This avoids issues in cases where the stdout read gets split into pieces
that do not include the full READY/PASS/FAIL/SKIP information. In
addition, strip unnecessary whitespace (mainly, '\r') from the log
lines.
Jouni Malinen [Wed, 24 Dec 2014 09:40:03 +0000 (11:40 +0200)]
tests: Add debug logging for parallel-vm.py
parallel-vm.log is now written with details of test execution steps and
results. This makes it easier to debug if something goes wrong in VM
monitoring. The --debug option can be used to enable verbose debugging.
Jouni Malinen [Tue, 23 Dec 2014 20:25:29 +0000 (22:25 +0200)]
tests: Retry failed cases automatically in parallel VM run
parallel-vm.py is now retrying failed cases once at the end of the run.
If all the failed test cases passed on the second attempt, that is noted
in the summary output. Results are also indicated as the exit value from
the run: 0 = all cases passed on first run, 1 = some cases failed once,
but everything passed after one retry, 2 = some cases failed did not
succeed at all.
Jouni Malinen [Tue, 23 Dec 2014 18:34:13 +0000 (20:34 +0200)]
tests: Add more long duration test cases to parallel-vm.py list
This adds the remaining test cases that took more than 15 seconds to run
into the list of test cases to run at the beginning of the execution to
avoid these being left at the end when only some of the VMs may be
running.
Jouni Malinen [Tue, 23 Dec 2014 17:35:34 +0000 (19:35 +0200)]
nl80211: Check if_indextoname() return value for bridge events
It would be at least theoretically possible for the bridge netdev to
have disappeared at the time hostapd processes the RTM newlink/dellink
message. As such, it is better to verify that if_indextoname() actually
returned success before printing the bridge ifname in debug. In
addition, there is not much point trying to add the bridge ifindex into
the list of own ifindexes in case the interface has already been
removed, so skip that part as well.
Jouni Malinen [Tue, 23 Dec 2014 15:46:34 +0000 (17:46 +0200)]
tests: Optimize ap_qosmap test cases
Avoid unnecessary DATA_TEST_CONFIG calls and wlantest_cli invocations to
speed up the test cases. This drops ap_qosmap execution time from about
14 seconds to under 3 seconds.
Jouni Malinen [Tue, 23 Dec 2014 14:15:11 +0000 (16:15 +0200)]
tests: Make scan_hidden* more robust
Clear cfg80211 BSS table more carefully after the scan_hidden* test
cases. At least scan_hidden_many could have left behind a hidden SSID
entry that could cause problems for following scan_bss_operations test
case.
Jouni Malinen [Tue, 23 Dec 2014 11:44:38 +0000 (13:44 +0200)]
mesh: Delay Authentication frame process with no_auto_peer
There is a possible race condition between receiving the
NEW_PEER_CANDIDATE event and the Authentication frame from the peer.
Previously, if the Authentication frame RX event was indicated first,
that frame got dropped silently. Now, this frame is still dropped, but a
copy of it is stored and the frame gets processed on the following
NEW_PEER_CANDIDATE event if that is received for the same peer within
two seconds.
Jouni Malinen [Tue, 23 Dec 2014 11:10:22 +0000 (13:10 +0200)]
tests: Fix mesh no_auto_peer=1 test cases to allow enough time for retry
If the initial Authentication frame was too early for the peer (i.e.,
NEW_PEER_CANDIDATE event arrived only after the Authentication frame),
wpas_mesh_open_no_auto and wpas_mesh_secure_no_auto test cases were
failing since they waited only for 10 seconds for the connection to be
completed while the retry timer was set to 10-20 seconds on the
authenticator side.
Jouni Malinen [Tue, 23 Dec 2014 10:27:14 +0000 (12:27 +0200)]
tests: Fix wpas_ctrl_data_test with Linux 3.19-rc1
The kernel commit 'packet: make packet_snd fail on len smaller than l2
header' started rejecting <= 14 octet raw packet socket transmission.
This test case was testing with 14 ocets and that is now rejected by the
kernel. While this may be a kernel side issue, use one octet longer test
data for now to avoid undesired FAIL cases in hwsim tests.
Jouni Malinen [Mon, 22 Dec 2014 20:07:54 +0000 (22:07 +0200)]
tests: Fix ap_ht_40mhz_intolerant_ap
The previous design did not actually break from the wait loop when the
AP changed back to 40 MHz channel and as such, ended up waiting the full
30 second time. Furthermore, the five second delay time for returning
back to 40 MHz was not sufficiently long to test behavior correctly
since the STA did not have any chances of returning the next coex report
before the AP had returned to 40 MHz. Increase the AP wait time to 15
seconds so that the once per 10 seconds OBSS scan from the STA gets in
before changing back to 40 MHz channel (after the 40 MHz intolerant AP
gets disabled).
Jouni Malinen [Mon, 22 Dec 2014 20:07:03 +0000 (22:07 +0200)]
SME: Optimize OBSS scanning
Include only the potentially affected channel range in OBSS scans to
reduce the amount of offchannel time needed for scanning when requested
by the AP.
Jouni Malinen [Mon, 22 Dec 2014 19:54:11 +0000 (21:54 +0200)]
HT: More robust 20/40 coex Action frame parsing
Commit 587d60d2b74190d58ddeb6a30ab338352af1186a ('Add AP mode support
for HT 20/40 co-ex Action frame') added processing of co-ex report, but
did not include proper bounds checking or IE type checking for the
payload. Furthermore, this was not ready for the possible extensibility
of the 20/40 BSS Coexistence element.
Fix these by checking IE ids for both elements and doing more
apprioriate bounds checking for the element lengths to avoid potentially
reading beyond the frame buffer. Though, the event receive buffer in
both libnl and driver_nl80211_monitor.c is sufficiently large to make it
very unlikely that the maximum read of about 260 bytes beyond the end of
the Action frame would really have any chances of hitting the end of the
memory buffer, so the practical effect of missing bounds checking would
have been possibly accepting an invalid report frame and moving to 20
MHz channel unnecessarily.
Jouni Malinen [Mon, 22 Dec 2014 18:41:19 +0000 (20:41 +0200)]
HT: Fix 20/40 coex Action frame parsing
Commit 5ce3ae4c8f2a07c28e0bbae1b68e5524ee034387 tried to clean up
fetching a pointer to the action code field, but it forgot to add
IEEE80211_HDRLEN to the pointer. This resulted in the coex report
elements being read from too early in the frame.
Jouni Malinen [Mon, 22 Dec 2014 13:53:12 +0000 (15:53 +0200)]
tests: Merge grpform_cred_ready_timeout test cases into a single one
These test cases had a long 120 seconds wait for the GO Negotiation
initiator to time out. This can be done using two devices in parallel to
save two minutes from total test execution time.
Jouni Malinen [Mon, 22 Dec 2014 11:49:52 +0000 (13:49 +0200)]
Add more debug prints for WPA/RSN selection issues for connection
ap_ft_sae test case managed to hit a somewhat unclear error case which
resulted in "WPA: Failed to select WPA/RSN" print and not enough
information to figure out what exactly had went wrong.
Masashi Honma [Fri, 19 Dec 2014 05:59:52 +0000 (14:59 +0900)]
mesh: Make maximum number of peer links configurable
Maximum number of peer links is maximum number of connecting mesh peers
at the same time. This value is 0..255 based on the
dot11MeshNumberOfPeerings range.
Jouni Malinen [Sun, 21 Dec 2014 20:04:54 +0000 (22:04 +0200)]
tests: Make parallel VM start a bit more resource friendly
Wait one second between each kvm start to avoid hitting large number of
processes trying to start in parallel. This allows the VMs to be started
more efficiently for parallel-vm.py runs with large number of VMs.
Jouni Malinen [Sun, 21 Dec 2014 16:20:15 +0000 (18:20 +0200)]
tests: Optimize test case execution order for multiple VMs
Move test cases with long duration to the beginning as an optimization
to avoid last part of the test execution running a long duration test
case on a single VM while all other VMs have already completed their
work.
Jouni Malinen [Sun, 21 Dec 2014 14:41:59 +0000 (16:41 +0200)]
tests: Use new scripts for vm-run.sh codecov
Now there is only one set of commands to maintain. The separate reports
for individual components have not been of much use in the past, so they
are dropped for now.