Jouni Malinen [Mon, 3 Jun 2019 17:25:56 +0000 (20:25 +0300)]
tests: Fix EAP-FAST protocol testing with older OpenSSL library versions
Looks like the previous fix for a newer OpenSSL versions broke
functionality with older versions that did not seem to like @SECLEVEL=0
in the cipher list. Make that addition conditional on OpenSSL version to
work with both versions.
Fixes: e87e6f609bb1 ("tests: Fix EAP-FAST protocol testing with newer OpenSSL and pyOpenSSL") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Masashi Honma [Thu, 30 May 2019 08:05:53 +0000 (17:05 +0900)]
tests: Fix dfs_cac_restart_on_enable false negative by using common finalizer
dfs_cac_restart_on_enable fails with this message.
---------------
START dfs_cac_restart_on_enable 1/1
wlan0: Country code not reset back to 00: is FI
wlan0: Country code cleared back to 00
FAIL dfs_cac_restart_on_enable 3.037694 2019-05-28 01:35:07.548390
failed tests: dfs_cac_restart_on_enable
---------------
Jouni Malinen [Sat, 1 Jun 2019 11:53:24 +0000 (14:53 +0300)]
tests: New style fuzzing tool for wpa_supplicant WNM handling
This is a newer version of tests/wnm-fuzzer tool as the initial step in
creating a more uniform set of fuzzing tools that can be used with both
libFuzzer and afl-fuzz.
Add QCA vendor attributes for configuring Spectral DMA debug
Add the following vendor attributes under the enum
qca_wlan_vendor_attr_spectral_scan to support the configuration of
Spectral DMA debug.
1. QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_DMA_RING_DEBUG
Enable/disable debug of the Spectral DMA ring
2. QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_CONFIG_DMA_BUFFER_DEBUG
Enable/disable debug of the Spectral DMA buffers
Hai Shalom [Wed, 29 May 2019 03:30:41 +0000 (20:30 -0700)]
EAP-SIM/AKA: Add support for anonymous@realm
SIM-based EAP authentication with IMSI encryption requires a special EAP
Identity response: anonymous@realm. Then the server sends AKA-Identity
request which is answered with the encrypted IMSI. Add logic that
indicates if the special anonymous identity is used. Otherwise, this
field is used for storing the pseudonym.
Test: Connect to Carrier Wi-Fi, verify correct behavior from captures
Test: Connect to non IMSI encrypted EAP-AKA AP, verify pseudonym usage Signed-off-by: Hai Shalom <haishalom@google.com>
Srinivas Dasari [Thu, 16 May 2019 09:31:14 +0000 (15:01 +0530)]
SAE: Do not send PMKID to the driver if PMKSA caching is disabled
External auth status to the driver includes the PMKID derived as part of
SAE authentication, but this is not valid if PMKSA caching is disabled.
Drivers might not be expecting PMKID when it is not valid. Do not send
the PMKID to the driver in such cases.
Srinivas Dasari [Thu, 16 May 2019 09:21:36 +0000 (14:51 +0530)]
SAE: Send external auth failure status to driver
wpa_supplicant prepares auth commit request as part of the external
authentication (first SAE authentication frame), but it fails to get
prepared when wpa_supplicant is started without mentioning the SAE
password in configuration. Send this failure status to the driver to
make it aware that the external authentication has been aborted by
wpa_supplicant.
Ashok Kumar [Fri, 24 May 2019 11:50:58 +0000 (17:20 +0530)]
SAE: Fix external_auth status in driver-SME STA case with AP SME support
A driver that uses internal AP SME may need to be able to use the
external_auth status operation in station mode, so do not skip this
solely based on drv->device_ap_sme; instead, use that condition only
when operating in AP mode.
Hu Wang [Fri, 26 Apr 2019 09:03:24 +0000 (17:03 +0800)]
P2P: Send Action frame regardless if p2p_scan in progress
With radio work design, send Action frame request will be queued and
wait for p2p-scan to finish, so there is no need to delay send_action.
This change revisits the logic (added before the radio work framework)
in below commits:
3f9285f P2P: Delay send_action call if p2p_scan is in progress f44ae20 P2P: Drop pending TX frame on new p2p_connect 9d562b7 P2P: Add p2p_unauthorize command 63a965c P2P: Fix after_scan_tx processing during ongoing operations 9a58e52 P2PS: Callback to create pending group after sending PD Response 3433721 P2P: Continue p2p_find after sending non-success Invitation Response
Sunil Dutt [Thu, 9 May 2019 11:26:45 +0000 (16:56 +0530)]
P2P: Force p2p-send-action as the next radio work to execute
This increases the priority of the p2p-send-action radio work, i.e., the
radio work used for transmitting potentially offchannel P2P Action
frames by marking it as the next radio work to execute. This is to avoid
the delay in transmissions due to already queued offchannel radio work
items in the queue. In particular, this means not having to wait for a
pending p2p-scan radio work to be executed before the new P2P Action
frame can be transmitted. This helps in avoiding timeouts on the peer
device when a P2P Action frames is received during other activity on the
device.
Sunil Dutt [Thu, 9 May 2019 11:05:03 +0000 (16:35 +0530)]
P2P: Reject p2p-send-action work while other one is pending
The previous implementation rejects the p2p-send-action work while there
is already one in progress (wpas_send_action_cb() has already been
called for it to start operation). Enhance the same to also consider any
p2p-send-action works pending in the radio work (i.e., waiting for that
wpas_send_action_cb() call).
This is considering the current behaviour of P2P to handle the state
corresponding to respective Action frame transmission:
pending_action_state. If a new P2P Action frame transmission is queued
while there is another one already in the queue, the transmit status of
the first frame is wrongly intepreted by the P2P state machine which has
already scheduled/queued another frame for transmission.
Ankita Bajaj [Wed, 22 May 2019 06:59:45 +0000 (12:29 +0530)]
OCE: Use RSSI of actual BSS which rejected association
If an AP rejects association due to low RSSI, then RSSI of the BSS from
which association reject is received shall be used for calculating RSSI
threshold at which STA can try connecting back to that BSS later. In
case of SME offload, the current_bss might not have been set before
receiving association completion, so fetch the BSS entry based on the
BSSID provided in the driver event.
Jouni Malinen [Wed, 29 May 2019 10:49:21 +0000 (13:49 +0300)]
tests: Fix ap-mgmt-fuzzer build configuration to match libap.a
Missing CONFIG_AIRTIME_POLICY=y made the offset of struct
hostapd_iface::prev_wmm different between libap.a and ap-mgmt-fuzzer.o
which resulted in odd fuzzing failures due to a memcpy to
ctx.iface->prev_wmm ending up writing on top of the ctx.hapd and in
particular, on top of ctx.hapd.iface pointer.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15013
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15014
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15015
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15017
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15019
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15020 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Tue, 28 May 2019 17:06:55 +0000 (20:06 +0300)]
tests: Add more wait around tcpdump capture processes for proxyarp
It looks like the previously used sleep time was not sufficient to allow
capturing the frames from wlan0/wlan1/wlan2 to start and complete so
that all the necessary frames can be checked. This was the case
especially with UML time-travel=inf-cpu.
AP: Consider regulatory limitation when filling WMM element
In case the current channel has regulatory WMM limitations, take them
into account when filling the WMM element. Also check if the new WMM
element is different from the previous one and if so change the
parameter_set_count to imply stations to look into it.
nl80211: Add regulatory wmm_limit to hostapd_channel_data
ETSI EN 301 893 v2.1.1 (2017-05) standard defines a new channel access
mechanism that all devices (WLAN and LAA) need to comply with.
In previous versions the device was allowed by ETSI to implement
802.11 channel access mechanism based on a set of priority classes
which are taken from 802.11. According of the new standard there
might be some exceptions which require ETSI countries to follow
more restrictive rules. In such a case the AP's wmm IE need to
comply with ETSI limitation. To be able to do so the regulatory
domain passes the new limitation values if needed.
Implement this, by storing it and use it to calculate the new
WMM parameters.
This commit adds determination of regulator limitations to
NL80211_CMD_GET_WIPHY processing so that the information is available
for upper layer implementation to use later when constructing WMM
element.
tests: Update regulatory for FI to allow new regdb rules
Recent regdb enabled UNII 3 in Finland. Change the
mbo_supp_oper_classes_fi test accordingly to accept either the previous
or the current value to be reported.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
nl80211: Add support to probe specific mesh link by injecting frames
Add support for injecting frames to a given mesh peer, bypassing the
mpath table lookup using PROBE_MESH_LINK command. This helps to send
data frames over unexercised direct mesh path, which is not selected as
next_hop node. This can be helpful in measuring link metrics.
Johannes Berg [Wed, 8 May 2019 05:30:38 +0000 (07:30 +0200)]
nl80211: Update freq only when CSA completes
In the case of the ap_csa_disable test, I frequently see
failures due to the kernel *not* having switched, but the
CSA-STARTED event having been processed, and thus the
frequency having been updated already.
This is wrong at least for AP mode, the frequency we store
for this case internally in nl80211 should only be updated
when the channel switch completes, otherwise we end up in
a situation where the switch is aborted and the kernel is
thus on the old channel, but the internal information has
been updated and every subsequent mgmt-frame TX fails due
to being tagged with the wrong channel.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Sun, 26 May 2019 20:16:20 +0000 (22:16 +0200)]
tests: uml: Request non-raw serial ports
When the serial ports are set into raw mode on stdio (fd:0,fd:1)
then Ctrl-C is sort of passed through, but not effective. Request
non-raw mode to avoid that and let us cancel test execution with
Ctrl-C properly (both in parallel-vm.py and vm-run.sh cases).
Note that this requires a currently out-of-tree patch, but so
does the virtual time. If the patch is not applied, the command
line argument is ignored.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Tue, 28 May 2019 09:14:07 +0000 (11:14 +0200)]
AP: add station with basic rates configuration
When a new station is added, let it have some supported rates
(they're empty without this change), using the basic rates
that it must support to connect.
This, together with the kernel-side changes for client-side,
lets us finish the complete auth/assoc handshake with higher
rates than the mandatory ones, without any further config.
However, the downside to this is that a broken station that
doesn't check the basic rates are supported before it tries
to connect will possibly not get any response to its auth
frame.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Mon, 27 May 2019 19:53:53 +0000 (22:53 +0300)]
tests: Give more time in ap_wpa2_psk_ext_delayed_ptk_rekey for UML
Waiting for exactly one second for a one second timeout with
time-travel=inf-cpu is not exactly robust, so increase that wait to be
able to see the last EAPOL-Key TX attempt from hostapd.
Jouni Malinen [Mon, 27 May 2019 19:22:07 +0000 (22:22 +0300)]
tests: Fix ap_wpa2_eap_status loop with UML time-travel=inf-cpu
Busy loop for waiting is not going to work with time-travel=inf-cpu, so
need to something a bit more explicit to wait for the wpa_supplicant
process to proceed while not fully breaking the idea of this test case
to iteration through large number of STATUS-VERBOSE commands to hit
different states.
John Crispin [Mon, 20 May 2019 07:55:10 +0000 (09:55 +0200)]
HE: Fix HE Capabilities element variable length encoding
The HE Capibilities element has dynamic size due to the variable length
and optional fields at the end. Mask out the channel width capabilities
that are less than the configured. Only add the MCS/NSS sets for the
announced channel widths and also add the PPET elements.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
John Crispin [Mon, 20 May 2019 07:55:10 +0000 (09:55 +0200)]
HE: Fix HE Capabilities indication from driver
The PPE Thresholds information in the end of the HE Capabilities element
is optional and of variable length. struct he_ppe_threshold was not
really used correctly for encoding this, so remove it and just reserve
enough space for the information.
Signed-off-by: Shashidhar Lakkavalli <slakkavalli@datto.com> Signed-off-by: John Crispin <john@phrozen.org>
Jouni Malinen [Sun, 26 May 2019 15:02:08 +0000 (18:02 +0300)]
VHT: Remove copying of VHT Operation element from (Re)Assoc Req
This copying attempt was added incorrectly since that element is never
actually present in (Re)Association Request frames. It is only valid to
copy that element from the mesh peering frames.
Jouni Malinen [Sat, 25 May 2019 21:47:17 +0000 (00:47 +0300)]
More forceful clearing of stack memory with keys
gcc 8.3.0 was apparently clever enough to optimize away the previously
used os_memset() to explicitly clear a stack buffer that contains keys
when that clearing happened just before returning from the function.
Since memset_s() is not exactly portable (or commonly available yet..),
use a less robust mechanism that is still pretty likely to prevent
current compilers from optimizing the explicit clearing of the memory
away.
Jouni Malinen [Sat, 25 May 2019 18:48:45 +0000 (21:48 +0300)]
mesh: Fix RSN initialization failure handling
The driver was left in mesh mode (joined to the group) if RSN
authenticator initialization failed. This could result in next
operations failing due to unexpected driver state.
This was found with the following hwsim test case sequence:
mesh_wpa_auth_init_oom dpp_config_no_discovery
Jouni Malinen [Sat, 25 May 2019 18:18:24 +0000 (21:18 +0300)]
tests: Fix robustness issue in DPP test cases with SAE
The sae_groups parameter needs to be cleared before attempt a SAE
connection in a test case to avoid issues with this parameter having
been left to something else than the default one by a previous test
case. This was found with the following sequence:
sae_pwe_failure dpp_auto_connect_legacy_psk_sae_1
Jouni Malinen [Sat, 25 May 2019 16:07:11 +0000 (19:07 +0300)]
tests: Fix ERP test cases to close separate AS (ifname=as-erp)
The earlier change from using apdev[1] to using a no-interface
ifname=as-erp in the ERP related test cases ended up leaving the
separate authentication server interface running after the end of the
test case. This left UDP port 18128 open and any consecutive test case
needing this port failed to start another authentication server.
This can be reproduced with following test case sequence:
fils_auth_gtk_rekey authsrv_unknown_user
Fixes: e374def207c1 ("tests: Start ERP authentication server without AP") Signed-off-by: Jouni Malinen <j@w1.fi>
Mohit Sethi [Fri, 17 May 2019 19:06:12 +0000 (22:06 +0300)]
EAP-AKA: Add Session-Id derivation during fast-reauth
The Session-Id derivation for EAP-AKA in RFC 5247 only explained how the
Session-Id is derived for regular authentication. Jouni reported it as
an errata with text explaining how to derive it during fast
reauthentication.
This patch now exports the Session-Id for EAP-AKA during fast
reauthentication based on this Session-Id = 0x17 || NONCE_S || MAC
construction.
Also documented by Alan Dekok in draft-dekok-emu-eap-session-id.
Mohit Sethi [Fri, 17 May 2019 11:40:30 +0000 (14:40 +0300)]
EAP-SIM: Add Session-Id derivation during fast-reauth
The Session-Id derivation for EAP-SIM in RFC 5247 only explained how the
Session-Id is derived for regular authentication. Jouni reported it as
an errata with text explaining how to derive it during fast
reauthentication.
This patch now exports the Session-Id for EAP-SIM during fast
reauthentication based on this Session-Id = 0x12 || NONCE_S || MAC
construction.
Jouni Malinen [Fri, 24 May 2019 22:51:12 +0000 (01:51 +0300)]
UBSan: Avoid dependency on undefined behavior in internal AES operation
The rcons[] and Td4s[] array values need to be type cast explicitly to
u32 for the left shift 24 operation to be defined due to the implicit
conversion to int not handling the case where MSB would become 1 without
depending on UB.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14929 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Fri, 24 May 2019 22:34:58 +0000 (01:34 +0300)]
tests: Fix ap-mgmt-fuzzer exit to free memory
This fuzzing wrapper does not go through full hostapd_clean_iface() call
to free memory, so call ap_list_deinit() to avoid reporting memory leaks
from added AP list entries. This case could not be hit with
hostapd/wpa_supplicant since they perform full interface deinit on
interface removal.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14928 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Fri, 24 May 2019 22:29:47 +0000 (01:29 +0300)]
WNM: Fix bounds checking in SSID List element matching
The IE header length check was off-by-one and that could allow the loop
to read one octet beyond the end of the buffer before breaking out in
the second check.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14927 Fixes: 0a66ce3c49db ("WNM: Add support for SSID List element matching") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Fri, 24 May 2019 22:14:46 +0000 (01:14 +0300)]
tests: Fix p2p-fuzzer callbacks
Couple of the callback functions had changed their prototypes and
p2p-fuzzer compilation resulted in a warning and not returning
*scheduled from the send_action() callback. This was reported as
use-of-uninitialized-value which was not really possible with
wpa_supplicant since the issue was only in the fuzzing wrapper.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14924 Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The length check for the BSS Termination Duration subelement was
accidentally removed and this could result in reading up to 10 bytes
beyond the end of a received frame. The actual read bytes would be
stored locally, but they were not used for anything, so other than
reading beyond the end of an allocated heap memory buffer, this did not
result in any behavior difference or exposure of the bytes.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=14922 Fixes: 093226783dc7 ("WNM: Simplify how candidate subelements are stored") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Jouni Malinen [Fri, 24 May 2019 13:30:19 +0000 (16:30 +0300)]
tests: Free WNM allocations cleanly in wnm-fuzzer
Avoid a memory leak in fuzzer tests by calling wnm_deallocate_memory()
before exiting since this fuzzing wrapper does not use full
wpa_supplicant_cleanup().
Jouni Malinen [Wed, 22 May 2019 22:34:24 +0000 (01:34 +0300)]
DPP: Fix bootstrapping URI parser to handle channel list for an opclass
The bootstrapping URI format for DPP was extended during protocol design
to allow a list of channels without having to repeat the same operating
class information for each channel. That change was not included in the
initial implementation of the parser and a channel-list like
"C:81/1,6,11" would not be understood correctly (i.e., only the longer
"C:81/1,81/6,81/11" form would have been parsed correctly).
Fix this by extending the parser to accept both the shorter and longer
form for a list of channels within a single operating class.
Jouni Malinen [Wed, 22 May 2019 14:42:53 +0000 (17:42 +0300)]
FILS: Verify RSNE match between Beacon/Probe Response and (Re)AssocResp
IEEE Std 802.11ai-2016 requires the FILS STA to do this check, but this
was missing from the initial implementation. The AP side behavior was
not described properly in 802.11ai due to a missing change in the
(Re)Association Response frame format tables which has resulted in some
deployed devices not including the RSNE.
For now, use an interoperability workaround to ignore the missing RSNE
and only check the payload of the element if it is present in the
protected frame. In other words, enforce this validation step only with
an AP that implements FILS authentication as described in REVmd while
allowing older implementations to skip this check (and the protection
against downgrade attacks). This workaround may be removed in the future
if it is determined that most deployed APs can be upgraded to add RSNE
into the (Re)Association Response frames.