ASHUTOSH NARAYAN [Mon, 19 Jan 2015 01:45:01 +0000 (20:45 -0500)]
HS20: Provide appropriate permission to the OSU related files
The icon files and the osu-providers.txt that are generated may not have
proper permission for external programs to access. Set the access
permissions to the same as the permissions for osu_dir.
ASHUTOSH NARAYAN [Mon, 19 Jan 2015 01:45:00 +0000 (20:45 -0500)]
HS20: Fix TrustRoot path for PolicyUpdate node in PPS MO
Incorrect TrustRoot path "PolicyUpdate/TrustRoot" was used. The
TrustRoot path is required to be "Policy/PolicyUpdate/TrustRoot" as
defined in Section 9.1 of Hotspot 2.0 (Release 2) specification. Fix the
path to "Policy/PolicyUpdate/TrustRoot".
ASHUTOSH NARAYAN [Mon, 19 Jan 2015 01:44:59 +0000 (20:44 -0500)]
HS20: Return result of cmd_sub_rem in hs20-osu-client
Previously, both failure and success cases used same return value 0.
Indicate failures differently to make hs20-osu-client return value more
useful for subscription remediation cases.
Eytan Lifshitz [Mon, 19 Jan 2015 04:56:43 +0000 (23:56 -0500)]
Avoid NULL string in printf on EAP method names in authenticator
In ieee802_1x_decapsulate_radius(), eap_server_get_name() may return
NULL, and it could be dereferenced depending on printf implementation.
Change it to return "unknown" instead for the case of no matching EAP
method found. This makes it easier for the callers to simply print this
in logs (which is the only use for this function).
Ilan Peer [Mon, 19 Jan 2015 01:44:12 +0000 (20:44 -0500)]
P2P: Stop p2p_listen/find on wpas_p2p_invite
Stop any ongoing P2P listen/find flow before starting invitation flow.
This was partially handled in p2p_invite() that called p2p_find(), but
this did not cleanly handle cases such as long_listen.
Ilan Peer [Mon, 19 Jan 2015 01:44:10 +0000 (20:44 -0500)]
P2P: Use the correct wpa_s interface to handle P2P state flush
A control interface call to flush the current state used the
current wpa_s to clear the P2P state even though it might not
be the interface controlling the P2P state.
Fix it by using the correct interface to flush the P2P state.
Ben Rosenfeld [Mon, 19 Jan 2015 01:44:08 +0000 (20:44 -0500)]
Move external_scan_running to wpa_radio
external_scan_running should be common to all interfaces that share a
radio. This fixes a case where external_scan_running was set on a single
interface, but did not block scan on other interfaces.
Signed-off-by: Ben Rosenfeld <ben.rosenfeld@intel.com>
Ben [Mon, 19 Jan 2015 01:44:07 +0000 (20:44 -0500)]
Clear reattach flag in fast associate flow
Clear the reattach flags, in case a connection request did not trigger a
scan. This needs to be done to avoid leaving the reattach flag set for
the next scan operation which may not have anything to do with the
specific request that could have been optimized using the single-channel
single-SSID scan.
Jouni Malinen [Mon, 19 Jan 2015 18:10:00 +0000 (20:10 +0200)]
Retry scan-for-connect if driver trigger fails
This restores some of the pre-radio work behavior for scanning by
retrying scan trigger if the driver rejects it (most likely returning
EBUSY in case of nl80211-drivers). Retry is indicated in the
CTRL-EVENT-SCAN-FAILED event with "retry=1".
For manual scans (e.g., triggered through "SCAN" control interface
command), no additional retries are performed. In other words, if upper
layers want to retry, they can do so based on the CTRL-EVENT-SCAN-FAILED
event.
Jouni Malinen [Mon, 19 Jan 2015 17:34:00 +0000 (19:34 +0200)]
Add a test framework for various wpa_supplicant failure cases
For CONFIG_TESTING_OPTIONS=y builds, add a new test parameter than can
be used to trigger various error cases within wpa_supplicant operations
to make it easier to test error path processing. "SET test_failure
<val>" is used to set which operation fails. For now, 0 = no failures
and 1 = scan trigger fails with EBUSY. More operations can be added in
the future to extend coverage.
Jouni Malinen [Mon, 19 Jan 2015 16:35:59 +0000 (18:35 +0200)]
WPS: Re-fix an interoperability issue with mixed mode and AP Settings
Commit ce7b56afab8e6065e886b9471fa8071c8d2bd66b ('WPS: Fix an
interoperability issue with mixed mode and AP Settings') added code to
filter M7 Authentication/Encryption Type attributes into a single bit
value in mixed mode (WPA+WPA2) cases to work around issues with Windows
7. This workaround was lost in commit d7a15d5953beb47964526aa17b4dc2e9b2985fc1 ('WPS: Indicate current AP
settings in M7 in unconfigurated state') that fixed unconfigured state
values in AP Settings, but did not take into account the earlier
workaround for mixed mode.
Re-introduce filtering of Authentication/Encryption Type attributes for
M7 based on the current AP configuration. In other words, merge those
two earlier commits together to include both the earlier workaround the
newer fix.
Jouni Malinen [Sun, 18 Jan 2015 16:06:47 +0000 (18:06 +0200)]
tests: Add step-by-step guide for setting up test framework
This set of notes provides information on how virtual guess OS can be
used to run the mac80211_hwsim test cases under any host OS. The
specific example here uses Ubuntu 14.04.1 server as the starting point
and lists the additional packages that need to be installed and commands
that can be used to fetch and build the test programs.
Jouni Malinen [Sun, 18 Jan 2015 15:13:55 +0000 (17:13 +0200)]
tests: Close wlan5 control interface monitor more explicitly
There were couple of common cases where the control interface for the
dynamic wpa_supplicant instance could have been left in attached state
until Python ends up cleaning up the instance. This could result in
issues if many monitor interface events were queued for that attached
socket. Make this less likely to cause issues by explicitly detaching
and closing control interfaces before moving to the next test case.
Jouni Malinen [Sun, 18 Jan 2015 14:23:43 +0000 (16:23 +0200)]
Print in debug log whether attached monitor is for global interface
It is easier to debug issues related to the wpa_supplicant control
interfaces being left behind in attached state when the debug log file
can be used to determine whether a specific monitor socket was a global
or per-interface one.
Jouni Malinen [Sun, 18 Jan 2015 13:58:05 +0000 (15:58 +0200)]
tests: Make WNM Sleep Mode tests more robust
It was possible for the Action frame used for entring WNM Sleep Mode to
get dropped on the AP side due to it arriving prior to having processed
EAPOL-Key message 4/4 due to a race condition between Data and
Management frame processing paths. Avoid this by waiting for
AP-STA-CONNECTED event from hostapd prior to trying to enter WNM Sleep
Mode. In addition, make the check for the STA flag change more robust by
allowing the wait to be a bit longer with a loop that terminates as soon
as the flag has changed.
Jouni Malinen [Sun, 18 Jan 2015 13:47:56 +0000 (15:47 +0200)]
tests: Make PMKSA caching tests more robust
When the STA is forced to disconnect immediately after completion of
4-way handshake, there is a race condition on the AP side between the
reception of EAPOL-Key msg 4/4 and the following Deauthentication frame.
It is possible for the deauthentication notification to be processed
first since that message uses different path from kernel to user space.
If hostapd does not receive EAPOL-Key msg 4/4 prior to deauthentication,
no PMKSA cache entry is added. This race condition was making the test
cases expecting PMKSA caching to work to fail every now and then. Avoid
this issue by waiting for AP-STA-CONNECTED event from hostapd. This
makes sure the PMKSA cache entry gets added on the AP side.
Jouni Malinen [Sat, 17 Jan 2015 17:39:23 +0000 (19:39 +0200)]
tests: Import gobject in a way that allows failures
It looks like the gobject module does not get installed by default for
Python at least on Ubuntu server, so modify the D-Bus test case files to
import this in a way that allows other test cases to be run even without
gobject module being installed.
Jouni Malinen [Sat, 17 Jan 2015 16:19:45 +0000 (18:19 +0200)]
tests: Make ap_anqp_sharing more robust
This test case uses get_bss() with a BSSID to find a BSS entry. That can
result in failures if there are multiple BSS entries in wpa_supplicant
BSS table for the same BSSID, e.g., due to an earlier hidden SSID test
case. Explicitly clear the cfg80211 and wpa_supplicant scan caches at
the beginning of this test case to make it less likely for earlier test
cases to trigger a failure here.
Jouni Malinen [Sat, 17 Jan 2015 16:09:40 +0000 (18:09 +0200)]
tests: Make ap_mixed_security more robust
This test case uses get_bss() with a BSSID to find a BSS entry. That can
result in failures if there are multiple BSS entries in wpa_supplicant
BSS table for the same BSSID, e.g., due to an earlier hidden SSID test
case. Explicitly clear the cfg80211 and wpa_supplicant scan caches at
the beginning of this test case to make it less likely for earlier test
cases to trigger a failure here.
Jouni Malinen [Sat, 17 Jan 2015 15:47:32 +0000 (17:47 +0200)]
HS 2.0: Try to use same BSS entry for storing GAS results
Commit 17b8995cf5813d7c027cd7a6884700e791d72392 ('Interworking: Try to
use same BSS entry for storing GAS results') added a mechanism to try to
pair GAS request and response to a single BSS entry to cover cases where
multiple BSS entries may exists for the same BSSID. However, that commit
did not cover the Hotspot 2.0 ANQP elements. Extend this mechanism to
all ANQP elements. This can help in cases where information in the
Hotspot 2.0 specific ANQP elements got lost if a hidden SSID or some
other reason of duplicated BSS entries was present while doing ANQP
fetches.
Jouni Malinen [Sat, 17 Jan 2015 14:59:40 +0000 (16:59 +0200)]
tests: Make ap_wpa2_eap_aka_ext faster and more robust
Use SELECT_NETWORK instead of REASSOCIATE for the first reconnection to
avoid unnecessary long wait for temporary network disabling to be
cleared. In addition, wait for the disconnect event after issuing the
DISCONNECT commands to avoid issues due to any pending events during the
immediately following reconnection attempt.
Jouni Malinen [Sat, 17 Jan 2015 13:39:48 +0000 (15:39 +0200)]
Make wpa_supplicant FLUSH command more likely to clear all BSS entries
Move the wpa_bss_flush() call to the end of the function to allow any
pending user of a BSS entry to be cleared before removing the unused
entries. There were number of cases where BSS entries could have been
left in the list and this resulted in some hwsim test failures.
Jouni Malinen [Sat, 17 Jan 2015 11:05:34 +0000 (13:05 +0200)]
tests: Skip some scan tests if iw does not support scan flush
The external cfg80211 scan flushing operation requires a relatively
recent iw version and not all distributions include that. Avoid false
failure reports by marking these test cases skipped if the iw command
fails.
Jouni Malinen [Sat, 17 Jan 2015 11:04:11 +0000 (13:04 +0200)]
tests: Fix test skipping for some DFS/VHT cases
Due to a typo and missing hapd variable initialization, some of the DFS
and VHT test cases were marked as failures even though they were
supposed to be marked as skipped in case the kernel and wireless-regdb
did not have sufficient support for these modes.
Jouni Malinen [Sat, 17 Jan 2015 10:39:00 +0000 (12:39 +0200)]
tests: Fix dbus_probe_req_reporting_oom if already registered
If dbus_probe_req_reporting was run before dbus_probe_req_reporting_oom,
the SubscribeProbeReq() method succeeded since the memory allocation
that was supposed to fail in the OOM test case was not even tried.
Jouni Malinen [Fri, 16 Jan 2015 23:48:15 +0000 (01:48 +0200)]
tests: Interworking auto_interworking=1 with mismatching BSS
This is a regression test case to detect a failure that resulted in an
up to five second busy loop through wpa_supplicant_fast_associate() when
interworking_find_network_match() and wpa_supplicant_select_bss() get
different matching results.
Jouni Malinen [Fri, 16 Jan 2015 23:43:00 +0000 (01:43 +0200)]
Interworking: Avoid busy loop in scan result mismatch corner cases
It was possible for interworking_find_network_match() to find a possible
BSS match in a case where more thorough checks in
wpa_supplicant_select_bss() reject network. This itself is fine, in
general, but when combined with wpa_supplicant_fast_associate()
optimization and auto_interworking=1, this resulted in a busy loop of up
to five seconds and a possible stack overflow due to recursion in that
loop.
Fix this by limiting the Interworking wpa_supplicant_fast_associate()
call to be used only once per scan iteration, so that new scan
operations can be completed before going through the scan results again.
Jouni Malinen [Fri, 16 Jan 2015 23:39:34 +0000 (01:39 +0200)]
Interworking: Start ANQP fetch from eloop callback
Reduce maximum stack use by starting next ANQP fetch operation from an
eloop callback rather than calling interworking_next_anqp_fetch()
directly from interworking_start_fetch_anqp(). This avoids issues that
could potentially make the process run out of stack if long loops of
ANQP operations are executed in cases where automatic Interworking
network selection is used and scan results do not have a full match for
a network.
Jouni Malinen [Fri, 16 Jan 2015 11:07:14 +0000 (13:07 +0200)]
Add authMultiSessionId into hostapd STA info
dot1xAuthSessionId was previously used to make Acct-Session-Id available
through the control interface. While there is no IEEE 802.1X MIB
variable for Acct-Multi-Session-Id, it is useful to make this value
available as well.
Jouni Malinen [Fri, 16 Jan 2015 10:14:07 +0000 (12:14 +0200)]
tests: Fix radius_das_disconnect match + non-match case
If Calling-Station-Id matches, but CUI does not, NAS is expected to
reject the request instead of accepting it. Verify that Disconnect-NAK
is returned for this.
Jouni Malinen [Fri, 16 Jan 2015 10:10:52 +0000 (12:10 +0200)]
RADIUS DAS: Check for single session match for Disconnect-Request
Previously, the first matching STA was picked. That is not really the
design in RFC 5176, so extend this matching code to go through all
specified session identification attributes and verify that all of them
match. In addition, check for a possible case of multiple sessions
matching. If such a case is detected, return with Disconnect-NAK and
Error-Code 508 (multiple session selection not supported).
Jouni Malinen [Thu, 15 Jan 2015 23:13:59 +0000 (01:13 +0200)]
tests: STA not getting response to SA Query
This verifies that wpa_supplicant reconnects if PMF is enabled,
unprotected Deauthentication/Disassociation frame is received, and the
AP does not reply to SA Query.
Jouni Malinen [Thu, 15 Jan 2015 10:24:18 +0000 (12:24 +0200)]
Interworking: Fix INTERWORKING_CONNECT with zero-length SSID BSS entry
For Interworking connection to work, the SSID of the selected BSS needs
to be known to be able to associate with the AP. It was possible for the
scan results to include two BSS entries matching the BSSID when an
earlier scan with that AP has shown a hidden SSID configuration (e.g.,
when running hwsim test cases, but at least in theory, this could happen
with real use cases as well). When that happened, the incorrect BSS
entry may not have included RSN configuration and as such, it would get
rejected for Interworking connection.
Fix this by confirming that the selected BSS entry has a real SSID. If
not, try to find another BSS entry matching the same BSSID and use that,
if found with an SSID.
If a second scan trigger attempt fails in STA mode, the error path was
supposed to restore the old mode that was in use before changing to STA
mode. However, wpa_driver_nl80211_set_mode() changes drv->nlmode on
success, so the recovery path needs to use the saved old_mode value
instead.
Jouni Malinen [Wed, 14 Jan 2015 13:31:28 +0000 (15:31 +0200)]
Add domain_match network profile parameter
This is similar with domain_suffix_match, but required a full match of
the domain name rather than allowing suffix match (subdomains) or
wildcard certificates.
Jouni Malinen [Wed, 14 Jan 2015 11:29:14 +0000 (13:29 +0200)]
tests: dbus_connect_eap to verify dNSName constraint configuration
This verifies that Certification signals include the expected
information on peer certificates and that dNSName constraint can be
configured based on that and is working both in matching and not
matching cases.
Jouni Malinen [Wed, 14 Jan 2015 11:29:40 +0000 (13:29 +0200)]
Add peer certificate alt subject name information to EAP events
A new "CTRL-EVENT-EAP-PEER-ALT depth=<i> <alt name>" event is now used
to provide information about server certificate chain alternative
subject names for upper layers, e.g., to make it easier to configure
constraints on the server certificate. For example:
CTRL-EVENT-EAP-PEER-ALT depth=0 DNS:server.example.com
Currently, this includes DNS, EMAIL, and URI components from the
certificates. Similar information is priovided to D-Bus Certification
signal in the new altsubject argument which is a string array of these
items.
Jouni Malinen [Wed, 14 Jan 2015 10:14:31 +0000 (12:14 +0200)]
Include peer certificate always in EAP events
This makes it easier for upper layer applications to get information
regarding the server certificate without having to use a special
certificate probing connection. This provides both the SHA256 hash of
the certificate (to be used with ca_cert="hash://server/sha256/<hash>",
if desired) and the full DER encoded X.509 certificate so that upper
layer applications can parse and display the certificate easily or
extract fields from it for purposes like configuring an altsubject_match
or domain_suffix_match.
The old behavior can be configured by adding cert_in_cb=0 to
wpa_supplicant configuration file.
Jouni Malinen [Tue, 13 Jan 2015 23:38:26 +0000 (01:38 +0200)]
Get rid of a compiler warning
Commit e7d0e97bdbdc996564f06b382af3d5a5164a8fb3 ('hostapd: Add vendor
specific VHT extension for the 2.4 GHz band') resulted in a compiler
warning regarding comparison between signed and unsigned integers at
least for 32-bit builds.
Jouni Malinen [Tue, 13 Jan 2015 22:50:58 +0000 (00:50 +0200)]
Extend VENDOR_ELEM parameters to cover non-P2P Association Request
The new VENDOR_ELEM value 13 can now be used to add a vendor element
into all (Re)Association Request frames, not just for P2P use cases like
the previous item was for.
Jouni Malinen [Tue, 13 Jan 2015 23:11:08 +0000 (01:11 +0200)]
tests: Add room for more vendor elems in wpas_ctrl_vendor_elem
This test case was verifying that the first unused VENDOR_ELEM value
above the current maximum is rejected. That makes it a bit inconvenient
to add new entries, so increase the elem value to leave room for new
additions without having to continuously modify this test case.
Yanbo Li [Mon, 10 Nov 2014 15:12:29 +0000 (23:12 +0800)]
hostapd: Add vendor specific VHT extension for the 2.4 GHz band
This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.
This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.
Jouni Malinen [Sun, 11 Jan 2015 21:13:35 +0000 (23:13 +0200)]
tests: Valid OCSP response with revoked and unknown cert status
This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.
Jouni Malinen [Sun, 11 Jan 2015 17:07:13 +0000 (19:07 +0200)]
GnuTLS: Add support for OCSP stapling as a client
This allows ocsp=2 to be used with wpa_supplicant when built with GnuTLS
to request TLS status extension (OCSP stapling) to be used to validate
server certificate validity.
Jouni Malinen [Sun, 11 Jan 2015 18:17:51 +0000 (20:17 +0200)]
tests: Generate a fresh OCSP response for each test run
GnuTLS has a hardcoded three day limit on OCSP response age regardless
of the next update value in the response. To make this work in the test
scripts, try to generate a new response when starting the authentication
server. The old mechanism of a response without next update value is
used as a backup option if openssl is not available or fails to generate
the response for some reason.
Jouni Malinen [Sun, 11 Jan 2015 17:45:56 +0000 (19:45 +0200)]
tests: Check mesh capability based on the modes capabilities list
This is more robust than checking the driver capability because it is
also possible for the wpa_supplicant build to be configured without mesh
support regardless of whether the driver supports it.
Jouni Malinen [Sun, 11 Jan 2015 17:42:57 +0000 (19:42 +0200)]
tests: Verify that SAE is supported for test cases requiring it
This makes it more convenient to run tests with wpa_supplicant builds
that do not support SAE (e.g., due to crypto library not providing
sufficient functionality for this).
Jouni Malinen [Sun, 11 Jan 2015 16:13:17 +0000 (18:13 +0200)]
GnuTLS: Fix tls_disable_time_checks=1 processing
Certificate expiration is checked both within GnuTLS and in the
tls_gnutls.c implementation. The former was configured to use the
request to ignore time checks while the latter was not. Complete support
for this parameter by ignoring the internal expiration checks if
requested.
projects / thirdparty / hostap.git / log
