Jouni Malinen [Sun, 30 Nov 2014 13:47:07 +0000 (15:47 +0200)]
mesh: Skip fast-association when using connect_without_scan
The mesh group addition was designed to use wpa_s->connect_without_scan
to skip a scan. That path was skipped if wpa_supplicant_fast_associate()
allowed previous scan results to be used. This could result in undesired
double-initialization attempt for the mesh interface. Avoid this by not
using wpa_supplicant_fast_associate() when wpa_s->connect_without_scan
is set.
Jouni Malinen [Sun, 30 Nov 2014 13:46:09 +0000 (15:46 +0200)]
mesh: Check for initialization failures
It is possible that these location ended up getting called before mesh
startup operations had been completed and that could result in
dereferencing NULL pointers. Address those error cases by verifying that
the needed parameters are available before using them.
Jouni Malinen [Sun, 30 Nov 2014 13:44:37 +0000 (15:44 +0200)]
tests: Stop connection at the end of monitor_iface_unknown_sta
Do not leave the station trying to connect at the end of the test case
since that can have an effect to the following test case. Such sequences
should be tested in test cases that are specifically designed for that
rather than randomly between test cases.
Jouni Malinen [Sun, 30 Nov 2014 13:42:26 +0000 (15:42 +0200)]
Ignore auth/assoc timeout events in mesh configuration
It was possible for auth/assoc timeout/failure event from the driver to
result in unexpected processing during mesh group setup if that
operation was started before the previously started driver operation to
association/connect had completed. Since those events cannot happen in
mesh cases, ignore them to avoid issues due to this corner case.
For example, monitor_iface_unknown_sta followed by wpas_mesh_secure test
case resulted in failure without this change.
Jouni Malinen [Sun, 30 Nov 2014 13:39:34 +0000 (15:39 +0200)]
Fix omac1_aes_128_vector() not to read beyond addr/len array
Previously, it was possible for the loop through the data components to
increment addr/len index at the last position beyond the declared size.
This resulted in reading beyond those arrays. The read values were not
used and as such, this was unlikely to cause noticeable issues, but
anyway, memory checkers can detect this and the correct behavior is to
stop increments before going beyond the arrays since no more bytes will
be processed after this anyway.
Jouni Malinen [Sun, 30 Nov 2014 13:37:55 +0000 (15:37 +0200)]
mesh: Avoid a false maybe-uninitialized compiler warning
An earlier check of the action_field value above the switch statement
already took care of all other possible cases, but that was apparently
too difficult for the compiler to notice. Bring back the default case to
avoid incorrect warnings about the event variable being maybe
uninitialized.
Jouni Malinen [Sat, 29 Nov 2014 13:44:57 +0000 (15:44 +0200)]
tests: Simplify Michael MIC test file writing
Since run-tests.py is now required to run as root, there is no need to
use the somewhat awkward "sudo tee" construction; instead, just write
directly to the file.
Jouni Malinen [Sat, 29 Nov 2014 13:22:43 +0000 (15:22 +0200)]
tests: Make go_neg_with_bss_on_disallowed_chan more robust
Clear scan results to avoid PBC overlap issues caused by earlier test
cases. For example, go_neg_with_bss_connected followed by
go_neg_with_bss_on_disallowed_chan resulted in failure before this
change.
Jouni Malinen [Sat, 29 Nov 2014 11:31:54 +0000 (13:31 +0200)]
Clear WLAN_STA_ASSOC_REQ_OK on AP-initiated deauthentication
This flag was left in the STA entry for the short duration after the STA
gets deauthenticated. If the STA sends a Class 2 or 3 frame during that
short time, the AP would not have replied with Deauthentication frame
indicating no association is present.
Jouni Malinen [Fri, 28 Nov 2014 16:23:11 +0000 (18:23 +0200)]
tests: Increase retry limit and timeout for wpas_mesh_open_no_auto
This test case was failing every now and then due to dev1
(no_auto_peer=1) not receiving the new-peer-candidate event in time
before dev0 has already stopped retries on mesh peering open message.
This sounds somewhat expected with the default 4 * 40 ms = 160 ms
retries and 1000 TU beacon interval. Use maximum timeout 16 * 255 ms =
4080 ms to make this test case less likely to fail.
Jouni Malinen [Fri, 28 Nov 2014 15:21:51 +0000 (17:21 +0200)]
wext: Fix non-WPA/WPA2 connection with extra IEs
The associate() handler was not prepared for params->wpa_ie containing
some other IEs than WPA/RSN IE and ended up configuring security policy
incorrectly for open networks if such IEs were present. Fix this by
using wpa_proto parameter instead of IEs to determine security policy
for driver configuration.
Jouni Malinen [Fri, 28 Nov 2014 14:54:31 +0000 (16:54 +0200)]
tests: Optimize autogo test cases by removing unnecessary scans
Keep full channel scans in autogo for test coverage, but use single
channel scan in all other autogo* test cases to remove unnecessary
waiting that does not add any test coverage. This removes more than one
minute from the total test execution time.
Jouni Malinen [Fri, 28 Nov 2014 14:00:24 +0000 (16:00 +0200)]
tests: Make go_neg_forced_freq_diff_than_bss_freq more robust
It was possible for this test case to fail due to PBC overlap that was
detected based on previous test case having used PBC. Make that false
positive less likely to happen by explicitly clearing the scan cache on
the device.
p2p_oper_reg_class and p2p_oper_channel need to be restored to 0, not an
arbitrary 2.4 GHz channel to avoid issues for following test cases. For
example, p2p_channel_random_social_with_op_class_change followed by
p2p_autogo_pref_chan_not_in_regulatory ended up with the latter test
case failing.
Jouni Malinen [Fri, 28 Nov 2014 11:40:34 +0000 (13:40 +0200)]
tests: Make hidden SSID test cases more robust
Clear wpa_supplicant and cfg80211 scan results at the end of hidden SSID
test cases to avoid potential issues for following test cases. For
example, ap_hs20_session_info could fail if executed immediately after
ssid_hidden due to the AP configuration change from open to RSN was not
noticed.
Jouni Malinen [Fri, 28 Nov 2014 17:44:58 +0000 (19:44 +0200)]
proxyarp: Relax frame length limit for RA and NA
Only the NS frames should be checked to be long enough to cover all the
fields used in the NS data structure. This allows shorter RA and NA
frames to be processed for multicast-to-unicast rules.
Jouni Malinen [Fri, 28 Nov 2014 17:27:07 +0000 (19:27 +0200)]
proxyarp: Add debug log entry on multicast-to-unicast conversion
This makes it easier to debug operations. The debug message is marked
EXCESSIVE, though, to avoid filling the logs with too much information
in default debugging cases.
Jouni Malinen [Fri, 28 Nov 2014 17:26:11 +0000 (19:26 +0200)]
Add DATA_TEST_FRAME for testing Data frame processing on AP side
The new hostapd control interface command can be used in automated
testing to verify how AP processes Data frames with arbitrary contents.
This is enabled only in builds with CONFIG_TESTING_OPTIONS=y.
Jouni Malinen [Fri, 28 Nov 2014 16:36:40 +0000 (18:36 +0200)]
proxyarp: Try multicast-to-unicast conversion only for authorized STAs
There is no point in trying to send the unicast converted version to a
STA that is not in authorized state since the driver would be expected
to drop normal TX Data frames in such state.
Jouni Malinen [Thu, 27 Nov 2014 21:53:22 +0000 (23:53 +0200)]
tests: Convert proxyarp tests to use DATA_TEST_FRAME
This is more robust and extensible than configuring IPv6 addresses on
the interfaces and trying to use ping6 or some other external tools to
generate suitable IPv6 frames.
Jouni Malinen [Thu, 27 Nov 2014 21:51:46 +0000 (23:51 +0200)]
Add DATA_TEST_FRAME for testing Data frame processing
The new wpa_supplicant control interface command can be used in
automated testing to verify how AP processes Data frames with arbitrary
contents. This is enabled only in builds with CONFIG_TESTING_OPTIONS=y.
Jouni Malinen [Thu, 27 Nov 2014 19:22:31 +0000 (21:22 +0200)]
tests: Make p2p_msg_invitation_req_to_go more robust
Wait for GO to start before sending invitation frames in the protocol
test. Without this, it was possible to hit the 5 second timeout on
management frame RX under load.
Jouni Malinen [Thu, 27 Nov 2014 19:06:18 +0000 (21:06 +0200)]
tests: Make go_neg_with_bss_connected more robust
It was possible for this test case to fail due to PBC overlap that was
detected based on previous test case having used PBC. Make that false
positive less likely to happen by explicitly clearing the scan cache on
the devices.
Jouni Malinen [Thu, 27 Nov 2014 18:33:35 +0000 (20:33 +0200)]
tests: Make ap_wps_reg_config_tkip failure log more helpful
The "Not fully connected" report did not clearly identify what went
wrong, so make this more verbose in hope of being able to determine what
happened should this test case fail again.
Jouni Malinen [Thu, 27 Nov 2014 18:30:07 +0000 (20:30 +0200)]
tests: Increase WPS connection timeout to make tests more robust
It was possible to hit the 10 second timeout in some test cases under
heavy load (e.g., with large number of VMs running tests in parallel).
These timeouts are not really indicating any real error, so make them
less likely to show up in reports by increasing the connection timeout
to 30 seconds.
Jouni Malinen [Thu, 27 Nov 2014 18:08:15 +0000 (20:08 +0200)]
tests: Optimize run-tests.py --prefill-tests startup time
It took significant part of the startup latency to prefill the database
with test cases due to the SQL COMMIT operation between each added row.
Move COMMIT to outside the loop to speed startup significantly.
Jouni Malinen [Thu, 27 Nov 2014 17:48:41 +0000 (19:48 +0200)]
tests: Follow test sequence from run-tests.py command line
It can be useful to specify an exact order of test cases and also to
allow the same test case to be run multiple times when the list of tests
is provided on the command line.
Jouni Malinen [Thu, 27 Nov 2014 17:00:02 +0000 (19:00 +0200)]
WMM AC: Fix memory leak on deinit without disassoc event
It was possible for wmm_ac_deinit() not getting called when an interface
was removed in a sequence where disassociation was not reported and
wmm_ac_notify_disassoc() did not get called. This resulted in leaking
whatever memory was allocated for WMM AC parameters. Fix that by calling
wmm_ac_notify_disassoc() from wpa_supplicant_cleanup().
Johannes Berg [Thu, 27 Nov 2014 15:13:57 +0000 (16:13 +0100)]
tests: Use tshark -Y instead of tshark -R
Newer versions of tshark don't like the -R (read filter) argument
for filtering and just show a deprecation warning. Use -Y (display
filter) instead, which hopefully also works on older versions.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Rashmi Ramanna [Wed, 26 Nov 2014 15:53:55 +0000 (21:23 +0530)]
P2P: Reinvite with social operation channel if no common channels
If invitation to reinvoke a persistent group from the GO fails with the
peer indicating that there are no common channels, there is no defined
means for the peer to indicate which channel could have worked. Since
this type of issue with available channels changing over time can
happen, try to work around this by retrying invitation using one of the
social channels as the operating channel unless a specific operating
channel was forced for the group.
Jouni Malinen [Thu, 27 Nov 2014 15:41:02 +0000 (17:41 +0200)]
Clear scan_req to NORMAL_SCAN_REQ for connection attempt
This is needed to fix some sequencies where a real scan in ap_scan=2
case would be issued even when the connection case would expect direct
connection without a scan.
This fixed an issue shown in hwsim test case autoscan_exponential
followed by ibss_open_fixed_bssid.
Jouni Malinen [Thu, 27 Nov 2014 14:39:14 +0000 (16:39 +0200)]
nl80211: Change iftype to station on leaving mesh
This is needed to make following operations behave as expected since
mesh iftypes may prevent various operations (e.g., registering Probe
Request frame RX). Use same design as leave_ibss does to handle this
consistently.
Jouni Malinen [Thu, 27 Nov 2014 12:59:28 +0000 (14:59 +0200)]
nl80211: Clear ignore_if_down_event if interface is up
It was possible for the ignore_if_down_event flag to remain set in some
cases where interface mode change required the interface to be set down
temporarily. If that happened, the following rfkill interface down could
have been ignored and device could have been left trying to scan or
connect (which would all fail due to the interface beign down). Clean
this up by clearing the ignore_if_down_event flag on the interface down
event regardless of whether the interface is up at the time this event
is processed.
Jouni Malinen [Thu, 27 Nov 2014 12:04:51 +0000 (14:04 +0200)]
tests: Replace last remaining hwsim_test uses with DATA_TEST
External tool is not needed anymore to run the data connectivity tests
since hostapd test mode now allows the possible bridge or VLAN interface
to be specified.
Jouni Malinen [Tue, 25 Nov 2014 23:14:41 +0000 (01:14 +0200)]
nl80211: Fix br_ifindex storing when hostapd creates the bridge
Commit 6c6678e7a456d4af58a2bf24ec8f15fb8b8b24ef ('nl80211: Make
br_ifindex available in i802_bss') did not cover the case where
i802_check_bridge() ends up creating the bridge interface. That left
bss->br_ifindex zero and prevented neighbor addition. Extend that
functionality to update br_ifindex once the bridge netdev has been
added.
Jouni Malinen [Tue, 25 Nov 2014 23:05:24 +0000 (01:05 +0200)]
proxyarp: Fix DHCP and ND message structures
These need to be marked packed to avoid issues with compilers
potentially adding padding between the fields (e.g., gcc on 64-bit
seemed to make struct icmpv6_ndmsg two octets too long which broke IPv6
address discovery).
Neelansh Mittal [Tue, 25 Nov 2014 10:11:28 +0000 (15:41 +0530)]
Do not re-open Android control sockets
On Android, the control socket being used may be the socket that is
created when wpa_supplicant is started as a /init.*.rc service. Such a
socket is maintained as a key-value pair in Android's environment.
Closing this control socket would leave wpa_supplicant in a bad state.
When wpa_supplicant re-opens the ctrl_iface socket, it will query the
Android's environment, and will be returned with the same socket
descriptor that has already been closed.
Jouni Malinen [Tue, 25 Nov 2014 14:58:21 +0000 (16:58 +0200)]
proxyarp: Use C library header files and CONFIG_IPV6
This replaces the use of Linux kernel header files (linux/ip.h,
linux/udp.h, linux/ipv6.h, and linux/icmpv6.h) with equivalent header
files from C library. In addition, ndisc_snoop.c is now built
conditionally on CONFIG_IPV6=y so that it is easier to handle hostapd
builds with toolchains that do not support IPv6 even if Hotspot 2.0 is
enabled in the build.
Masashi Honma [Tue, 25 Nov 2014 02:04:41 +0000 (11:04 +0900)]
SAE: Fix Anti-Clogging Token request frame format
This commit inserts Finite Cyclic Group to Anti-Clogging Token request
frame because IEEE Std 802.11-2012, Table 8-29 says "Finite Cyclic Group
is present if Status is zero or 76".
Jouni Malinen [Tue, 25 Nov 2014 13:19:19 +0000 (15:19 +0200)]
tests: Clear sae_groups to default value in forgotten cases
It was possible for some of the SAE test cases (e.g., ap_ft_sae) to fail
if they were run after the sae_groups test case that left the SAE group
configuration to a value that is not enabled by default. Fix this by
clearing sae_groups setting in the couple of test cases that were not
yet doing this.
Jouni Malinen [Sun, 23 Nov 2014 19:08:13 +0000 (21:08 +0200)]
WPA: Use more explicit WPA/RSN selector count validation
Some static analyzers had problems understanding "left < count * len"
(CID 62855, CID 62856), so convert this to equivalent "count > left /
len" (len here is fixed to 4, so this can be done efficiently).
Jouni Malinen [Sun, 23 Nov 2014 18:57:34 +0000 (20:57 +0200)]
WPS: Add explicit message length limit of 50000 bytes
Previously, this was implicitly limited by the 16-bit length field to
65535. This resulted in unhelpful static analyzer warnings (CID 62868).
Add an explicit (but pretty arbitrary) limit of 50000 bytes to avoid
this. The actual WSC messages are significantly shorter in practice, but
there is no specific protocol limit, so 50000 is as good as any limit to
use here.
Jouni Malinen [Sun, 23 Nov 2014 18:51:26 +0000 (20:51 +0200)]
PeerKey: Clean up EAPOL-Key Key Data processing on AP
This extends the earlier PeerKey station side design to be used on the
AP side as well by passing pointer and already validated length from the
caller rather than parsing the length again from the frame buffer. This
avoids false warnings from static analyzer (CID 62870, CID 62871,
CID 62872).
Jouni Malinen [Sun, 23 Nov 2014 18:39:52 +0000 (20:39 +0200)]
EAP-IKEv2: Make proposal_len validation clearer
Some static analyzers seem to have issues understanding "pos +
proposal_len > end" style validation, so convert this to "proposal_len >
end - pos" to make this more obvious to be bounds checking for
proposal_len. (CID 62874)
Jouni Malinen [Sun, 23 Nov 2014 18:36:17 +0000 (20:36 +0200)]
EAP-FAST: Make PAC file A_ID parser easier to analyze
Some static analyzers seem to have issues with "pos + len > end"
validation (CID 62875), so convert this to "len > end - pos" to make it
more obvious that len is validated against its bounds.
Jouni Malinen [Sun, 23 Nov 2014 18:31:08 +0000 (20:31 +0200)]
EAP-FAST: Clean up binary PAC file parser validation steps
This was too difficult for some static analyzers (CID 62876). In
addition, the pac_info_len assignment should really have explicitly
validated that there is room for the two octet length field instead of
trusting the following validation step to handle both this and the
actual pac_info_len bounds checking.
Jouni Malinen [Sun, 23 Nov 2014 18:23:35 +0000 (20:23 +0200)]
radiotap: Initialize all members in ieee80211_radiotap_iterator_init()
_next_ns_data could look like it would be used uninitialized in
ieee80211_radiotap_iterator_next() to static analyzers. Avoid
unnecessary reports by explicitly initializing all variables in struct
ieee80211_radiotap_iterator. (CID 62878)
Jouni Malinen [Sun, 23 Nov 2014 18:04:29 +0000 (20:04 +0200)]
HS 2.0: Clarify OSU Server URI length validation
The previous version was valid, but apparently too complex for some
static analyzers. Use a local variable for uri_len and explicitly
compare it against the remaining buffer length. (CID 68121)
Jouni Malinen [Sun, 23 Nov 2014 16:43:59 +0000 (18:43 +0200)]
Use more explicit num_pmkid validation in RSN IE parsing
Static analyzers may not have understood the bounds checking on
data->num_pmkid. Use a local, temporary variable and validate that that
value is within length limits before assining this to data->num_pmkid to
make this clearer. (CID 62857, CID 68126)
Jouni Malinen [Sun, 23 Nov 2014 16:32:04 +0000 (18:32 +0200)]
PCSC: Use clearer file TLV length validation step
This makes it easier for static analyzer to confirm that the length
field bounds are checked. WPA_GET_BE16() is also used instead of
explicit byte-swapping operations in this file. (CID 68129)
Jouni Malinen [Sun, 23 Nov 2014 15:48:34 +0000 (17:48 +0200)]
TLS client: Check DH parameters using a local variable
Use a temporary, local variable to check the DH parameters received from
the server before assigning the length to the struct tlsv1_client
variables. This will hopefully make it easier for static analyzers to
figure out that there is bounds checking for the value. (CID 72699)
Jouni Malinen [Sun, 23 Nov 2014 15:06:24 +0000 (17:06 +0200)]
RADIUS client: Print a clear debug log entry if socket is not available
It could have been possible to select a socket that is not open
(sel_sock == -1) and try to use that in socket operations. This would
fail with potentially confusing error messages. Make this clearer by
printing a clear debug log entry on socket not being available.
(CID 72696)
Jouni Malinen [Sun, 23 Nov 2014 14:37:16 +0000 (16:37 +0200)]
IKEv2: Use a bit clearer payload header validation step
It looks like the "pos + plen > end" case was not clear enough for a
static analyzer to figure out that plen was being verified to not go
beyond the buffer. (CID 72687)
Send link measurement response when a request is received. Advertise
only RCPI, computing it from the RSSI of the request. The TX power field
is left to be filled by the driver. All other fields are not published.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Assaf Krauss [Wed, 5 Nov 2014 08:42:51 +0000 (03:42 -0500)]
wpa_supplicant: Add NEIGHBOR_REP_REQUEST command to the control interface
Add NEIGHBOR_REP_REQUEST command to the wpa_supplicant ctrl_iface.
This command triggers the sending of a Neighbor Report Request to the
associated AP.