Jouni Malinen [Fri, 30 May 2014 13:38:40 +0000 (16:38 +0300)]
tests: RADIUS server unreachable with error handling
radius_{auth,acct}_unreachable tested some parts of RADIUS client code
error handling. However, they did not test everything since the send()
calls for unreachable port on localhost did not return an error (that
error was reported on receive side). Extend this with similar test cases
using unreachable IP address to get send() error returns covered as
well.
Jouni Malinen [Fri, 30 May 2014 14:21:28 +0000 (17:21 +0300)]
RADIUS client: Fix socket close/re-open on server change
Both IPv4 and IPv6 sockets were not closed consistently in the paths
that tried to change RADIUS servers. This could result in leaking
sockets and leaving behind registered eloop events to freed memory on
interface removal.
Jerry Yang [Thu, 29 May 2014 06:32:33 +0000 (14:32 +0800)]
RADIUS client: Fix crash issue in radius_client_timer()
While iterating through RADIUS messages in radius_client_timer(), one
message entry may get flushed by "radius_client_retransmit -->
radius_client_handle_send_error --> radius_client_init_auth -->
radius_change_server --> radius_client_flush". This could result in
freed memory being accessed afterwards.
Jouni Malinen [Fri, 30 May 2014 08:33:01 +0000 (11:33 +0300)]
RADIUS client: Do not try to send message without socket
It is possible for the RADIUS authentication/accounting socket to not be
open even if partial RADIUS server configuration has been done through
the control interface SET commands. Previously, this resulted in send()
attempt using fd=-1 which fails with bad file descriptor. Clean this up
by logging this as a missing configuration instead of trying to send the
message when that is known to fail.
Eduardo Abinader [Thu, 29 May 2014 21:42:07 +0000 (17:42 -0400)]
hostapd_cli: Fix segmentation fault with interface command
ctrl_ifname was not being freed and allocated consistently by using
proper functions: os_free() and os_strdup(). This can result in
segmentation fault when these OS specific wrappers use different
implementation (e.g., with CONFIG_WPA_TRACE=y).
Jouni Malinen [Thu, 29 May 2014 13:45:48 +0000 (16:45 +0300)]
P2P: Debug print channel lists for invitation processing
This makes invitation process more consistent with GO Negotiation as far
as the debug log entries are concerned and the resulting log is more
helpful for understanding channel selection.
Jouni Malinen [Thu, 29 May 2014 10:51:19 +0000 (13:51 +0300)]
OpenSSL: Fix OCSP certificate debug print to use wpa_printf
Instead of using X509_print_fp() to print directly to stdout, print the
certificate dump to a memory BIO and use wpa_printf() to get this into
the debug log. This allows redirection of debug log to work better and
avoids undesired stdout prints when debugging is not enabled.
Jouni Malinen [Thu, 29 May 2014 10:43:01 +0000 (13:43 +0300)]
tests: Hide stdout from Popen() to avoid undesired stdout prints
ap_cipher_tkip_countermeasures_{ap,sta} printed out the MAC addresses in
stdout which resulted in the debug log not starting the PASS/FAIL
information at the beginning of the line. Hide these unnecessary prints
to avoid that.
Jouni Malinen [Tue, 27 May 2014 15:47:41 +0000 (18:47 +0300)]
nl80211: Do not add all virtual interfaces to drv->if_indices
Commit 04eff7d5ba96b5b452e4e1a70db3af6668762b08 or something around that
timeframe may have caused a regression on how drv->if_indices gets used
with wpa_supplicant. Most (curretly likely all) wpa_supplicant virtual
interface use cases should not actually use this. This could result in
issues with P2P group interfaces delivering events to incorrect
interface (parent rather than the group interface). The previous commit
removed some of the issues, but more complete fix is to undo some of
those merged hostapd/wpa_supplicant operations.
Filter add_ifidx() uses based on hostapd vs. wpa_supplicant and iftype
to get closer to the earlier wpa_supplicant behavior for the driver
events from virtual interfaces.
Jouni Malinen [Tue, 27 May 2014 15:16:58 +0000 (18:16 +0300)]
nl80211: Fix del_ifidx() with mixed parent interface cases
It is possible for a virtual interface to be added and removed by
different parent interfaces. This can happen, e.g., with P2P group
interfaces if the P2P parent interface does not happen to be the first
entry in the wpa_supplicant global interface list. That first entry is
used to remove the group interface while the addition would have
happened with the dedicated P2P management interface.
This can result in the interface that added a new virtual interface
getting stuck with an obsolete ifindex value in the drv->if_indeces list
and as such, deliver some extra events to incorrect destination wpa_s
instance. In particular, this can result in INTERFACE_DISABLED event
from deletion of a P2P group interface getting delivered incorrectly to
the parent wpa_s instance which would disable that interface even though
the interface remains in enabled state.
Fix this by clearing the removed interface from all if_indeces lists
instead of just the one that was used to delete the interface. This is
the simplest approach since the ifindex is unique and there is no need
to track which interface added the new virtual interface to always hit
the same one when removing the interface.
Jouni Malinen [Tue, 27 May 2014 09:09:25 +0000 (12:09 +0300)]
P2P: Clear p2p_auth_invite after each persistent group invitation
This makes the operations more consistent when going through multiple
persistent group re-invocation sequences in a row. Each invitation needs
to be accepted separately if persistent reconnect is not enabled.
Jouni Malinen [Sun, 25 May 2014 15:34:10 +0000 (18:34 +0300)]
GAS: Send error response if no room for pending dialog context
Instead of silently dropping the response that requires fragmentation,
send an error response to the station to make it aware that no full
response will be available.
Jithu Jance [Thu, 22 May 2014 06:55:53 +0000 (12:25 +0530)]
P2P: Avoid resetting pending_listen_freq if p2p_listen is pending
If p2p_listen is called while previous listen command's
remain_on_channel event is pending, the p2p_listen would fail
and it used to clear pending_listen_freq. Now when the remain-
on-channel event comes from the driver, the pending_listen_freq
doesn't match and gets ignored. This was leading to a case
where listen state was getting stuck (in case of WAIT_PEER_CONNECT
state).
Jouni Malinen [Wed, 21 May 2014 11:56:34 +0000 (14:56 +0300)]
tests: Add -rdynamic to fix TNC IMV/IMC loading on some platforms
The example IMV and IMC used for TNC testing has references to
wpa_printf and other functions from hostapd/wpa_supplicant. Link the
binaries in a way that allows these symbols to be resolved while loading
the libraries at run time.
Jouni Malinen [Mon, 19 May 2014 20:22:49 +0000 (23:22 +0300)]
tests: Add CAVP test vectors for RSA/PKCS #1 v1.5 signature validation
This allow the PKCS #1 and RSA implementation to be validated against
the test vectors from
http://csrc.nist.gov/groups/STM/cavp/documents/dss/186-2rsatestvectors.zip
and
http://csrc.nist.gov/groups/STM/cavp/documents/dss/SigVer15EMTest.txt.
Jouni Malinen [Mon, 19 May 2014 20:19:08 +0000 (23:19 +0300)]
Add function for building RSA public key from n and e parameters
This is similar to the existing functionality that parsed ASN.1-encoded
RSA public key by generating a similar public key instance from already
parsed n and e parameters.
Jouni Malinen [Mon, 19 May 2014 20:26:43 +0000 (23:26 +0300)]
PKCS #1: Enforce minimum padding for decryption in internal TLS
Follow the PKCS #1 v1.5, 8.1 constraint of at least eight octets long PS
for the case where the internal TLS implementation decrypts PKCS #1
formatted data. Similar limit was already in place for signature
validation, but not for this decryption routine.
Jouni Malinen [Mon, 19 May 2014 20:26:19 +0000 (23:26 +0300)]
PKCS #1: Allow only BT=01 for signature in internal TLS
Based on PKCS #1, v1.5, 10.1.3, the block type shall be 01 for a
signature. This avoids a potential attack vector for internal TLS/X.509
implementation.
Jouni Malinen [Mon, 19 May 2014 20:25:38 +0000 (23:25 +0300)]
X.509: Fix internal TLS/X.509 validation of PKCS#1 signature
Verify that there is no extra data after the hash field. This is needed
to avoid potential attacks using additional data to construct a value
that passes the RSA operation and allows the hash value to be forged.
Jouni Malinen [Sun, 18 May 2014 16:47:59 +0000 (19:47 +0300)]
tests: Add CAVP test vectors for byte-oriented SHA-1 and SHA-256
This allows the SHA-1 implementation to be validated against the
SHA1ShortMsg.rsp and SHA1LongMsg.rsp test vectors from
http://csrc.nist.gov/groups/STM/cavp/documents/shs/shabytetestvectors.zip.
Similarly, the SHA-256 can be validated against the SHA256ShortMsg.rsp
and SHA256LongMsg.rsp.
Jouni Malinen [Sat, 17 May 2014 19:52:40 +0000 (22:52 +0300)]
tests: Incorrect/missing password with TTLS non-EAP methods
Incorrect password was already tested with TTLS/MSCHAPv2, but the other
non-EAP inner methods in TTLS use their own implementation of password
validation, so check each and also verify the case of no matching EAP
user entry for the specific method.
Jouni Malinen [Fri, 16 May 2014 21:01:45 +0000 (00:01 +0300)]
TNC: Allow TNC to be enabled dynamically
Previously, hostapd had to be started with at least one of the
configuration files enabling TNC for TNC to be usable. Change this to
allow TNC to be enabled when the first interface with TNC enabled gets
added during runtime.
Jouni Malinen [Fri, 16 May 2014 19:37:54 +0000 (22:37 +0300)]
TNC: Allow tnc_config file path to be replaced
This is for enabling easier testing of TNCS/TNCC functionality as part
of the test scripts without having to use the fixed /etc/tnc_config
location that could be used by the main system and would require changes
within /etc.
Jouni Malinen [Fri, 16 May 2014 16:24:47 +0000 (19:24 +0300)]
tests: Add more details to help with initial setup configuration
This documents some more steps needed during initial test setup
configuration to make it easier to get this running even without
thorough knowledge of the network setup used by the operating system.
Masashi Honma [Tue, 13 May 2014 00:35:48 +0000 (09:35 +0900)]
eloop: Add epoll option for better performance
This patch adds epoll option for the eloop implementation. This can be
selected with the CONFIG_ELOOP_EPOLL=y build option.
[merit]
See Table1.
Table1. comparison table
+--------+--------+-----------+------------+-------------+
| | add fd | remove fd | prepare fd | dispatch fd |
+--------+--------+-----------+------------+-------------+
| select | O(1) | O(1) | O(N) | O(N) |
+--------+--------+-----------+------------+-------------+
| poll | O(1) | O(1) | O(N) | O(N) |
+--------+--------+-----------+------------+-------------+
| epoll | O(1) | O(1) | 0 | O(M) |
+--------+--------+-----------+------------+-------------+
"add fd" is addition of fd by eloop_sock_table_add_sock().
"remove fd" is removal of fd by eloop_sock_table_remove_sock().
"prepare fd" is preparation of fds before wait in eloop_run().
"dispatch fd" is dispatchment of fds by eloop_sock_table_dispatch().
"N" is all watching fds.
"M" is fds which could be dispatched after waiting.
As shown in Table1, epoll option has better performance on "prepare fd" column.
Because select/poll option requires setting fds before every select()/poll().
But epoll_wait() doesn't need it.
And epoll option has also better performance on "dispatch fd" column.
Because select/poll option needs to check all registered fds to find out
dispatchable fds. But epoll option doesn't require checking all registered fds.
Because epoll_wait() returns dispatchable fd set.
So epoll option is effective for GO/AP functionality.
[demerit]
The epoll option requires additional heap memory. In case of P2P GO, it is
about 8K bytes.
Jouni Malinen [Fri, 16 May 2014 13:49:17 +0000 (16:49 +0300)]
P2P: Iterate through full pref_chan list in search of a valid channel
p2p_get_pref_freq() went through the full list only if the channels
arguments was provided. If no channel list contraint was in place, the
first pref_chan item was picked regardless of whether it is valid
channel and as such, a later valid entry could have been ignored. Allow
this to loop through all the entries until a valid channel is found or
the end of the pref_chan list is reached. As an extra bonus, this
simplifies the p2p_get_pref_freq() implementation quite a bit.
hostapd: Check for overlapping 20 MHz BSS before starting 20/40 MHz BSS
Before starting a 20/40 MHz BSS on the 2.4 GHz band, a 40-MHz-capable HT
AP is required by the rules defined in IEEE Std 802.11-2012 10.15.5 to
examine the channels of the current operational regulatory domain to
determine whether the operation of a 20/40 MHz BSS might unfairly
interfere with the operation of existing 20 MHz BSSs. The AP (or some of
its associated HT STAs) is required to scan all of the channels of the
current regulatory domain in order to ascertain the operating channels
of any existing 20 MHz BSSs and 20/40 MHz BSSs. (IEEE 802.11-2012 S.5.2
Establishing a 20/40 MHz BSS).
Add the check for an overlapping 20 MHz BSS to the initial AP scan for
the P == OT_i case in 10.15.3.2.
Eduardo Abinader [Wed, 14 May 2014 13:08:47 +0000 (09:08 -0400)]
WPS: Deinit before wpas_p2p_disconnect()
When there is a pending WPS negotiation for P2P and signal interrupt is
triggered, invalid read occurs in wpas_wps_terminate_pending() if
wpas_p2p_disconnect() removed the interface. Inverting deinit order
solves the issue.
Simon Baatz [Thu, 15 May 2014 18:10:39 +0000 (20:10 +0200)]
SCARD: Fix GSM authentication on USIM
scard_gsm_auth() used SIM_CMD_GET_RESPONSE for both SIM and USIM. Convert
the command into USIM_CMD_GET_RESPONSE for USIM.
Since commit eb324600295 ("Fix switching from EAP-SIM to EAP-AKA/AKA'")
EAP-SIM is using the USIM if available. This triggers a probably ancient
bug in scard_gsm_auth(), which results in sending the wrong get response
command to the USIM. Thus, EAP-SIM stopped to work after this change on
USIMs that expect the proper command.
Jouni Malinen [Thu, 15 May 2014 21:27:47 +0000 (00:27 +0300)]
tests: Make GAS test cases more robust
Scan explicitly for the specific AP to work around issues where under
heavy CPU load, the single active scan round may miss the delayed Probe
Response from the AP. In addition, verify that ANQP_GET commands succeed
to make error cases clearer in the log.
Jouni Malinen [Thu, 15 May 2014 20:58:10 +0000 (23:58 +0300)]
tests: Verify P2P GO Negotiation wait-for-ready timeout
This verifies that the wait for peer to be ready for GO Negotiation is
timed out properly at no less than 120 seconds. Since this is a long
test case, it is disabled by default without the --long option.
Rashmi Ramanna [Wed, 14 May 2014 09:05:02 +0000 (14:35 +0530)]
P2P: Modify the timeout for GO Negotiation on no concurrent session
Peer should handle a GO Negotiation exchange correctly when the
responding device does not have WSC credentials available at the
time of receiving the GO Negotiation Request. WSC Credentials
(e.g., Pushbutton) can be entered within the 120 second timeout.
Presently, if concurrent session is not active, the peer would wait for
GO Negotiation Request frame from the other device for approximately one
minute due to the earlier optimization change in commit a2d63657603b8f0714274f34bea45cb5d0c0a7b9. To meet the two minute
requirement, replace this design based on number of iterations with a
more appropriate wait for the required number of seconds.
Jouni Malinen [Thu, 15 May 2014 19:16:19 +0000 (22:16 +0300)]
P2P: Refrain from performing extended listen during PD
Extend the previous commit 0f1034e3889e7b8f54ed59317f1234db8167d12e to
skip extended listen also based on ongoing provision discovery operation
(which does not show up as a separate P2P module state and as such, was
not coveraged by the previous commit).
Jouni Malinen [Thu, 15 May 2014 18:32:54 +0000 (21:32 +0300)]
P2P: Clear P2P state if active interface is disabled
The radio works for the interface get removed if interface is disabled.
This could have left P2P module in invalid state if the interface got
disabled during a p2p_find or p2p_listen operation. Clear the state in
such a case to avoid blocking following operations due to P2P module
assuming it is still in progress of doing something.
Jouni Malinen [Thu, 15 May 2014 18:09:48 +0000 (21:09 +0300)]
Add DRIVER_EVENT ctrl_iface command for testing purposes
This new command can be used to simulate driver events without having to
go through the driver wrapper or kernel code for this. This enables more
testing coverage with hwsim.
Jouni Malinen [Thu, 15 May 2014 11:13:39 +0000 (14:13 +0300)]
tests: Make discovery_group_client more robust
Allow three P2P_FIND attempts for discovering the GO on a non-social
channels since the single Probe Response frame can be missed easily
under heavy CPU load.
Jouni Malinen [Wed, 14 May 2014 22:02:03 +0000 (01:02 +0300)]
tests: Make WPS test cases more robust
Scan explicitly for the AP that may be started during the test case
execution. This is needed to work around issues where under heavy CPU
load, the single active scan round may miss the delayed Probe Response
from the second AP.
Jouni Malinen [Wed, 14 May 2014 21:31:30 +0000 (00:31 +0300)]
tests: Make ap_wpa2_eap_ttls_server_cert_hash_invalid more robust
Instead of checking for multiple EAP starts (which can occur if
EAPOL-Start from supplicant goes out quickly enough, e.g., due to CPU
load), look for the explicit message indicating that TTLS method
initialization failed.
Jouni Malinen [Wed, 14 May 2014 14:02:32 +0000 (17:02 +0300)]
tests: Make FT test cases more robust
Scan explicitly for the AP that may be started during the test case
execution. This is needed to work around issues where under heavy CPU
load, the single active scan round may miss the delayed Probe Response
from the second AP. In addition, check for ROAM/FT_DS failures to be
able to report errors more clearly.
Jouni Malinen [Wed, 14 May 2014 10:35:32 +0000 (13:35 +0300)]
tests: Make HS 2.0 test cases more robust
Scan explicitly for the AP that may be started during the test case
execution. This is needed to work around issues where under heavy CPU
load, the single active scan round may miss the delayed Probe Response
from the second AP.
Jouni Malinen [Wed, 14 May 2014 09:54:13 +0000 (12:54 +0300)]
tests: Make scan and scan_only more robust
These can fail during heavy CPU load due to active scan dwell time not
being long enough to catch the delayed Probe Response frame from the AP.
Work around this by allowing multiple scan attempts to see the response.
Jouni Malinen [Tue, 13 May 2014 23:31:55 +0000 (02:31 +0300)]
tests: Verify P2P GO start when scan_req = MANUAL_SCAN_REQ
There was a bug in this code path that resulted in the
skip-scan-to-start-GO case to not actually skip the scan. It looks like
this could be hit at least when autoscan was enabled, but it is possible
that some other sequences could hit this as well.