Jouni Malinen [Thu, 20 Aug 2015 21:21:20 +0000 (00:21 +0300)]
eapol_test: Add a new operation mode for control interface use
The -T<ctrl_iface> command line argument can now be used to start
eapol_test in mode where the configuration file is not needed and the
authentication operations are started through the control interface.
Network profile is also managed through the control interface in this
case. This can be used to provide more control for scripted RADIUS
authentication server testing.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 20 Aug 2015 20:13:33 +0000 (23:13 +0300)]
eapol_test: Allow interface name to be specified
The new -i<ifname> command line argument can be used to specify the name
of the interface to use. This is mainly to allow unique control
interface names to be defined without having to use multiple
directories.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 18 Aug 2015 22:36:48 +0000 (01:36 +0300)]
tests: More WPS ER HTTP protocol testing
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 18 Aug 2015 17:02:57 +0000 (20:02 +0300)]
tests: Skip TLS OCSP stapling test cases with BoringSSL builds
BoringSSL removed the OpenSSL API used to implement OCSP stapling
support.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 18 Aug 2015 16:58:13 +0000 (19:58 +0300)]
tests: Allow AES-WRAP-192 test cases to be commented out with BoringSSL
BoringSSL does not support 192-bit AES, so these parts of the
wpa_supplicant module tests would fail.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 18 Aug 2015 16:52:38 +0000 (19:52 +0300)]
tests: Allow group 25 to fail in ap_wpa2_eap_pwd_groups with BoringSSL
It looks like NID_X9_62_prime192v1 is not available, so allow that group
to fail without failing the full ap_wpa2_eap_pwd_groups test case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 18 Aug 2015 16:46:56 +0000 (19:46 +0300)]
tests: Use group 26 instead of 25 in sae_oom_wpas with BoringSSL
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 18 Aug 2015 16:43:23 +0000 (19:43 +0300)]
tests: Allow group 25 to fail in sae_groups if running with BoringSSL
It looks like NID_X9_62_prime192v1 is not available, so allow that group
to fail without failing the full sae_groups test case.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 17 Aug 2015 23:24:06 +0000 (02:24 +0300)]
OpenSSL: Reject OCSP-required configuration if no OCSP support
This is needed at least with BoringSSL to avoid accepting OCSP-required
configuration with a TLS library that does not support OCSP stapling.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 17 Aug 2015 23:06:02 +0000 (02:06 +0300)]
BoringSSL: Fix PKCS12_parse() segfault when used without password
Unlike OpenSSL PKCS12_parse(), the BoringSSL version seems to require
the password pointer to be non-NULL even if no password is present. Map
passwrd == NULL to passwd = "" to avoid a NULL pointer dereference
within BoringSSL.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 17 Aug 2015 22:53:17 +0000 (01:53 +0300)]
OpenSSL: Handshake completion and resumption state into debug log
This new debug log entry makes it more convenient to check how TLS
handshake was completed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 17 Aug 2015 19:50:41 +0000 (22:50 +0300)]
BoringSSL: Fix session resumption
BoringSSL commit
533ef7304d9b48aad38805f1997031a0a034d7fe ('Remove
SSL_clear calls in handshake functions.') triggered a regression for
EAP-TLS/TTLS/PEAP session resumption in wpa_supplicant due to the
removed SSL_clear() call in ssl3_connect() going away and wpa_supplicant
not calling SSL_clear() after SSL_shutdown(). Fix this by adding the
SSL_clear() call into wpa_supplicant after SSL_shutdown() when preparing
the ssl instance for another connection.
While OpenSSL is still call SSL_clear() in ssl3_connect(), it looks to
be safe to add this call to wpa_supplicant unconditionally.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 17 Aug 2015 18:35:44 +0000 (21:35 +0300)]
BoringSSL: Make SSL_set_ssl_method() conditional on EAP-FAST
This function does not seem to be available in BoringSSL. Since it is
needed for EAP-FAST (which is not currently working with BoringSSL),
address this by commenting out the EAP-FAST specific step from builds
that do not include EAP-FAST support.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 17 Aug 2015 18:34:11 +0000 (21:34 +0300)]
BoringSSL: Comment out SSL_build_cert_chain() call
It looks like BoringSSL does include that function even though it claims
support for OPENSSL_VERSION_NUMBER where this is available (1.0.2). For
now, comment out that call to fix build.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 17 Aug 2015 18:31:17 +0000 (21:31 +0300)]
BoringSSL: Allow internal AES key wrap to be used with "OpenSSL" build
It looks like BoringSSL has removed the AES_wrap_key(), AES_unwrap_key()
API. This broke wpa_supplicant/hostapd build since those functions from
OpenSSL were used to replace the internal AES key wrap implementation.
Add a new build configuration option
(CONFIG_OPENSSL_INTERNAL_AES_WRAP=y) to allow the internal
implementation to be used with CONFIG_OPENSSL=y build to allow build
against the latest BoringSSL version.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Sat, 15 Aug 2015 19:41:13 +0000 (22:41 +0300)]
tests: WPS ER protocol testing
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 16 Aug 2015 21:16:46 +0000 (00:16 +0300)]
Set NORMAL_SCAN_REQ on SELECT_NETWORK/ENABLE_NETWORK
wpa_s->scan_req needs to be set in these cases to get correct scanning
behavior. This is mainly needed for starting of AP mode operation
immediately in ap_scan=2 case.
This fixes an issue that was found with mac80211_hwsim test cases in the
following sequence: dbus_autoscan dbus_ap_scan_2_ap_mode_scan
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 16 Aug 2015 20:55:14 +0000 (23:55 +0300)]
tests: Trigger failure on exceptions in the dbus_p2p_autogo thread
This makes the test case more robust in reporting failures.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 16 Aug 2015 20:51:07 +0000 (23:51 +0300)]
Remove duplicated sta_authorized_cb call
Commit
6959145b86318710d0186b618d54bce2991a6e6f ('FST: Integration into
hostapd') introduced this duplicated call due to an incorrect merge
conflict resolution in ap_sta_set_authorized(). An earlier commit
61fc90483fec17b69a26b16e42723474daccec24 ('P2P: Handle improper WPS
termination on GO during group formation') had moved this call to an
earlier location in the function and there is no point in re-introducing
another copy of the call at the end of the function.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 16 Aug 2015 19:41:21 +0000 (22:41 +0300)]
tests: WPS and non-WPS AP in single hostapd process
This is a regression test case for WPS_AP_PIN triggered hostapd segfault
when a non-WPS interface was enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 16 Aug 2015 19:38:31 +0000 (22:38 +0300)]
WPS: Fix multi-interface WPS operations in hostapd
Couple of the for-each-interface loops used incorrect return value when
skipping over non-WPS interfaces. This could result in skipping some WPS
interfaces in the loop and returning error. Setting AP PIN did not check
for WPS being enabled at all and trigger a NULL pointer dereference if
non-WPS interface was enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 16 Aug 2015 19:30:54 +0000 (22:30 +0300)]
tests: Fix FST tests to remove hostapd instance
These test cases added a new radio for the non-FST AP and while they
removed the radio itself, they did not remove the hostapd instance for
that radio. Remove that to avoid leaving behind invalid instances.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 16 Aug 2015 18:25:35 +0000 (21:25 +0300)]
tests: Fix WPS HTTP test case exceptions
resp.status is an integer, not a string.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 15 Aug 2015 19:24:15 +0000 (22:24 +0300)]
WPS ER: Fix SSDP CACHE-CONTROL line parser
Incorrect number of bytes was skipped from the beginning of the line
which resulted in the loop skipping spaces doing nothing. However, the
following operation was simply looking for the max-age parameter with
os_strstr(), so this did not have any effect on functionality. Fix the
number of bytes to skip and remove the unneeded loop to skip spaces.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 14 Aug 2015 21:15:57 +0000 (00:15 +0300)]
tests: P2P group formation response during p2p_find
Signed-off-by: Jouni Malinen <j@w1.fi>
Andrei Otcheretianski [Mon, 13 Jul 2015 06:49:16 +0000 (09:49 +0300)]
P2PS: Consider WPS P2PS method when joining a group
If P2PS PD concludes to use default P2PS method wpas_p2p_scan_res_join()
ignores this value and tries to perform a redundant legacy PD.
Fix this by considering WPS_P2PS method too.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Mike Gilbert [Wed, 12 Aug 2015 14:44:42 +0000 (10:44 -0400)]
systemd: Order wpa_supplicant before network.target
Ordering the units before network.target causes them to be stopped
after network.target on shutdown. This ensures that any network
filesystems will be unmounted before wpa_supplicant is killed.
Adding Wants=network.target ensures that network.target will be included
in the active dependency graph. This is typical of units which are
involved in networking setup functions.
Signed-off-by: Mike Gilbert <floppym@gentoo.org>
Jouni Malinen [Fri, 14 Aug 2015 16:24:15 +0000 (19:24 +0300)]
tests: Control interface output buffer limit
This verifies wpa_supplicant behavior in number of cases where the
external program opening a control interface socket does not behave
properly.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Fri, 14 Aug 2015 16:22:08 +0000 (19:22 +0300)]
Add debug prints for wpa_supplicant ctrl_iface socket send operations
This makes it easier to track the output queue state on a control
interface socket and determine what could be causing issues with running
out of space in the buffer.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Kanchanapally, Vidyullatha [Thu, 13 Aug 2015 07:34:25 +0000 (13:04 +0530)]
Android: Use more flexible userid when launching browser popup
It was possible for the Hotspot 2.0 case of OSU user interaction to fail
with wpadebug browser due to permission denial in the "start" command
("java.lang.SecurityException: Permission Denial: startActivity asks to
run as user -2 but is calling from user 0; this requires
android.permission.INTERACT_ACROSS_USERS_FULL"). Avoid this by using
more flexible USER_CURRENT_OR_SELF (-3) value with the --user argument.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Mahesh A Saptasagar [Tue, 30 Jun 2015 07:11:27 +0000 (12:41 +0530)]
Do not stop ongoing PNO sched_scan on association/disconnection
PNO was stopped by the wpa_supplicant during the connection attempts or
while handling disassociation indication. External entities, mainly, the
Android Wi-Fi framework, does not expects PNO to be stopped by other
modules. Hence, do not stop the sched_scan in these scenarios if it is
triggered externally for PNO.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 13 Aug 2015 17:57:23 +0000 (20:57 +0300)]
tests: Scan and TSF updates from Beacon/Probe Response frames
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Srinivas Dasari [Wed, 12 Aug 2015 10:24:54 +0000 (15:54 +0530)]
nl80211: Use beacon TSF if it is newer than Probe Response TSF
cfg80211 sends TSF information with the attribute NL80211_BSS_BEACON_TSF
if the scan results include information from Beacon frame. Probe
Response frame information is included in NL80211_BSS_TSF. If the device
receives only Beacon frames, NL80211_BSS_TSF might not carry updated
TSF, which results an older TSF being used in wpa_supplicant. Fetch both
possible TSF values (if available) and choose the latest TSF for the BSS
entry.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 11 Aug 2015 18:48:55 +0000 (21:48 +0300)]
tests: ap_scan=2 AP mode operation and scan failure
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 11 Aug 2015 18:46:38 +0000 (21:46 +0300)]
Do not allow ap_scan=2 scan processing to stop AP mode operation
wpa_supplicant_assoc_try() would result in the currently operating AP to
get stopped if wpa_supplicant_scan() ends up getting triggered without
MANUAL_SCAN_REQ while operating an AP. With ap_scan=2, this could
resulted in unintentional stopping of AP mode operations, so check
explicitly for that case and skip the wpa_supplicant_assoc_try() call if
needed to avoid this.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 11 Aug 2015 18:44:31 +0000 (21:44 +0300)]
D-Bus: Set last_scan_req to MANUAL_SCAN_REQ on Scan() trigger paths
The D-Bus Scan() handler was setting wpa_s->scan_req = MANUAL_SCAN_REQ
on the code path that used wpa_supplicant_req_scan(). However, it did
not do anything similar for the cases where
wpa_supplicant_trigger_scan() is called directly. This could result in
unexpected wpa_s->last_scan_req value and incorrect behavior especially
when using ap_scan=2 and running a scan while operating in AP mode. Fix
this by explicitly setting wpa_s->last_scan_req = MANUAL_SCAN_REQ when
using wpa_supplicant_trigger_scan() from the Scan() handler.
Signed-off-by: Jouni Malinen <j@w1.fi>
Ahmad Kholaif [Tue, 11 Aug 2015 01:09:27 +0000 (18:09 -0700)]
P2P: Support driver preferred freq list for invitation case
When using P2P invitation to re-invoke a persistent P2P group without
specifying the operating channel, query the driver for the preferred
frequency list, and use it to select the operating channel of the group.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 10 Aug 2015 22:02:27 +0000 (01:02 +0300)]
OpenSSL: Use connection certificate chain with PKCS#12 extra certs
When using OpenSSL 1.0.2 or newer, this replaces the older
SSL_CTX_add_extra_chain_cert() design with SSL_add1_chain_cert() to keep
the extra chain certificates out from SSL_CTX and specific to each
connection. In addition, build and rearrange extra certificates with
SSL_build_cert_chain() to avoid incorrect certificates and incorrect
order of certificates in the TLS handshake.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 10 Aug 2015 21:40:27 +0000 (00:40 +0300)]
OpenSSL: Fix PKCS#12 extra certificate handling
Previously, the possible extra certificate(s) from a PKCS#12 file was
added once for each authentication attempt. This resulted in OpenSSL
concatenating the certificates multiple time (add one copy for each try
during the wpa_supplicant process lifetime). Fix this by clearing the
extra chain certificates before adding new ones when using OpenSSL 1.0.1
or newer that include the needed function.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 10 Aug 2015 21:38:44 +0000 (00:38 +0300)]
tests: Try users2.pkcs12 twice to add coverage
This allows manual verification of extra PKCS#12 certificate processing.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 10 Aug 2015 19:08:08 +0000 (22:08 +0300)]
tests: AP with open mode and wpa_supplicant ENABLE/DISABLE_NETWORK
ap_open_sta_enable_disable verifies that DISABLE_NETWORK that is issued
while connect/sme-connect radio work is pending is effective, i.e.,
prevents connection to disabled network.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Hu Wang [Mon, 10 Aug 2015 19:12:59 +0000 (22:12 +0300)]
Drop connection attempt if network is disabled before radio work starts
With the radio work design, it is possible for a network entry to get
disabled (e.g., DISABLE_NETWORK <id>) during the time the connect or
sme-connect radio work waits to start. Previously, only the validity of
the BSS entry and BSSID/SSID was verified when starting the actual
connection step. Add call to wpas_network_disabled() to those checks to
catch the case where the network profile is disabled.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ahmad Kholaif [Mon, 10 Aug 2015 00:44:12 +0000 (17:44 -0700)]
P2P: Support driver preferred freq list for Autonomous GO case
When starting an autonomous GO without specifying the operating channel,
query the driver for the preferred frequency list, and use it to select
the operating channel of the GO (if supported).
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Ilan Peer [Sun, 9 Aug 2015 13:00:41 +0000 (16:00 +0300)]
tests: Properly pass the num of channels to start.sh
The number of channels was not properly passed from the
run-all.sh script to the start.sh script. Fix it.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Jouni Malinen [Sat, 8 Aug 2015 17:48:30 +0000 (20:48 +0300)]
tests: Various wpa_supplicant ctrl_iface OOM cases
Signed-off-by: Jouni Malinen <j@w1.fi>
Amit Khatri [Thu, 6 Aug 2015 07:04:51 +0000 (07:04 +0000)]
Fix a typo in enum wpa_states comment
Signed-off-by: Amit Khatri <amit.khatri@samsung.com>
Signed-off-by: Rahul Jain <rahul.jain@samsung.com>
Jouni Malinen [Sat, 8 Aug 2015 17:51:25 +0000 (20:51 +0300)]
tests: Verify FAIL-BUSY return on SCAN during gas_comeback_delay
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 8 Aug 2015 15:20:29 +0000 (18:20 +0300)]
tests: RSN element protocol testing for STA side
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 8 Aug 2015 16:19:57 +0000 (19:19 +0300)]
Fix PMKID addition to RSN element when RSN Capabilities are not present
This code path could not be hit with the RSNE generated by hostapd or
wpa_supplicant, but it is now possible to reach when using
own_ie_override test functionality. The RSNE and IE buffer length were
not updated correct in case wpa_insert_pmkid() had to add the RSN
Capabilities field.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 8 Aug 2015 15:18:03 +0000 (18:18 +0300)]
hostapd: Add testing option to override own WPA/RSN IE(s)
This allows the new own_ie_override=<hexdump> configuration parameter to
be used to replace the normally generated WPA/RSN IE(s) for testing
purposes in CONFIG_TESTING_OPTIONS=y builds.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 6 Aug 2015 13:41:38 +0000 (16:41 +0300)]
FT: Remove optional fields from RSNE when using PMF
The PMKIDCount, PMKID List, and Group Management Cipher Suite fields are
optional to include in the RSNE in cases where these would not have
values that are different from the default values. In practice,
PMKIDCount is always 0 in Beacon and Probe Response frames, so the only
field of these that could have a non-default value is Group Management
Cipher Suite. When BIP is used, that field is not needed either due to
BIP being the default cipher when PMF is enabled.
Remove these fields from RSNE when BIP is used to save six octets in
Beacon and Probe Response frames. In addition to reduced frame length,
this is a workaround for interoperability issues with iOS 8.4 in cases
where FT and PMF are enabled. iOS seems to be rejecting EAPOL-Key msg
3/4 during FT initial mobility domain association if the RSNE includes
the PMKIDCount field.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 6 Aug 2015 12:51:36 +0000 (15:51 +0300)]
wlantest: Add support for FT-PSK initial association key derivation
This adds minimal support for deriving keys for FT-PSK to allow the
initial mobility domain association to be analyzed in more detail.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Wed, 5 Aug 2015 21:02:47 +0000 (00:02 +0300)]
tests: AP config using wps_config command with invalid passphrase
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Wed, 5 Aug 2015 20:52:10 +0000 (23:52 +0300)]
WPS: Reject AP settings with invalid network key (PSK/passphrase)
This is similar to the earlier commit
b363121a208e3d18fe80682430a5f50cefaa3595 ('WPS: Reject invalid
credential more cleanly'), but for the AP cases where AP settings are
being replaced. Previously, the new settings were taken into use even if
the invalid PSK/passphrase had to be removed. Now, the settings are
rejected with such an invalid configuration.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Thu, 6 Aug 2015 16:54:12 +0000 (19:54 +0300)]
tests: P2PS with group interface and intended iface addr in PD
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Max Stepanov [Thu, 30 Jul 2015 06:00:01 +0000 (09:00 +0300)]
tests: Add P2PS PD feature capability CPT tests
Add tests verifying a Coordination Protocol Transport exchange and
selection during P2PS provision discovery.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Andrei Otcheretianski [Wed, 8 Jul 2015 12:55:27 +0000 (15:55 +0300)]
tests: Re-factor PD and connection flows in P2PS tests
Reuse p2ps_provision() and p2ps_connect_pd() methods, and
remove the previous PD helper functions which are no longer used.
This fixes the previously "broken"
p2ps_connect_keypad_method_nonautoaccept and
p2ps_connect_display_method_nonautoaccept.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Andrei Otcheretianski [Thu, 30 Jul 2015 06:00:02 +0000 (09:00 +0300)]
tests: Use p2ps_provision() and p2ps_connect_pd() in p2ps_connect_p2ps_method()
Re-factor p2ps_connect_p2ps_method() so it reuses generic P2PS provision
and connection flows.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Andrei Otcheretianski [Thu, 30 Jul 2015 06:00:06 +0000 (09:00 +0300)]
P2PS: Authorize any peer for P2PS method if interface address not known
When P2PS PD with default P2PS method is done, the peer that becomes GO
should authorize the client. However, P2PS specification doesn't require
the client to include its intended interface address in PD
Request/Response. As a result, the P2P Client's interface address may not
be known and any address may need to be authorized.
Previously, client's P2P Device Address was used for authorization,
which is not correct when a dedicated interface is used for P2P Client.
This is not resulting in a connection failure, however it causes a
significant delay (until WPS_PIN_TIME_IGNORE_SEL_REG elapses). Fix this
by authorizing the intended interface address, if known; or any address,
if not known.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Jouni Malinen [Thu, 6 Aug 2015 17:43:25 +0000 (20:43 +0300)]
P2PS: Clean up intended interface address passing to p2ps_prov_complete
Use NULL to indicate if the address is not available instead of fixed
00:00:00:00:00:00. wpas_p2ps_prov_complete() already had code for
converting NULL to that all zeros address for event messages.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Max Stepanov [Thu, 30 Jul 2015 06:00:00 +0000 (09:00 +0300)]
P2PS: Fix PD PIN event notifications
Change P2PS P2P-PROV-SHOW-PIN/P2P-PROV-ENTER-PIN event notifications
on PD Request/Response handling to meet required P2PS behavior.
The new implemented scheme:
1. For a legacy P2P provision discovery the event behavior remains
without changes
2. P2PS PD, advertiser method: DISPLAY, autoaccept: TRUE:
Advertiser: SHOW-PIN on PD request replied with a status SUCCESS
Seeker: ENTER-PIN on PD response received with a status SUCCESS
3. P2PS PD, advertiser method: DISPLAY, autoaccept: FALSE:
Advertiser: SHOW-PIN on PD request replied with a status
INFO_CURRENTLY_UNAVAILABLE
Seeker: ENTER-PIN on Follow-on PD request with a status
SUCCESS_DEFERRED
4. P2PS PD, advertiser method: KEYPAD, autoaccept: TRUE/FALSE:
Advertiser: ENTER-PIN on PD request replied with a status
INFO_CURRENTLY_UNAVAILABLE
Seeker: SHOW-PIN on PD response received with a status
INFO_CURRENTLY_UNAVAILABLE
This change in behavior breaks the existing test cases
p2ps_connect_keypad_method_nonautoaccept and
p2ps_connect_display_method_nonautoaccept. Those will be fixed in a
followup commit.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Reviewed-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:34 +0000 (22:24 +0300)]
tests: Add P2P GO frequency change policy tests
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:33 +0000 (22:24 +0300)]
tests: Increase timeouts when MCC is enabled
When MCC is enabled, the remain of channel scheduling might
incur additional delays, so increase the timeouts to be able
to receive delays frames.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:32 +0000 (22:24 +0300)]
tests: Skip some test cases when MCC is enabled
Some tests assume that only a single channel is used. Skip,
such tests/checks when MCC is enabled.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:30 +0000 (22:24 +0300)]
P2P: Fix P2P_FLUSH clearing of p2p_go_avoid_freq
P2P_FLUSH command did not cleanly clear the p2p_go_avoid_freq data
structure, and left it in an inconsistent state, where the range field
was NULL but the num field was not 0. This would have resulted in an
invalid memory access in freq_range_list_includes().
Fix this.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:27 +0000 (22:24 +0300)]
P2P: Do not perform P2P GO CS in some cases
A P2P GO channel switch should not be triggered in all cases that
require channel list update. Specifically, a P2P GO CS should not
be triggered in case that the P2P GO state changed or in case that
that the P2P GO has just completed a CS.
To fix this, add reason code to wpas_p2p_channel_list_update() and
trigger CS flow only for the relevant cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:26 +0000 (22:24 +0300)]
P2P: Disallow GO CS immediately after GO Negotiation or invitation
A newly created GO might move to another channel before the client was
able to connect to it. This creates a situation where the client
searches the GO on the channel agreed upon during GO Negotiation or
invitation signaling, while the GO is on another channel. This in turn
might lead to delayed connection or connection failure and group
removal.
Fix this by disallowing a GO CS as long as there is some activity that
should delay the switch. If a GO move is not allowed, set a timeout to
re-attempt the move.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:25 +0000 (22:24 +0300)]
P2P: Consider channel optimizations for additional cases
Re-factor the code, so channel optimizations would be also triggered
upon the following changes: channel updates from the kernel,
disallow_freq interface, etc.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Arik Nemtsov [Mon, 27 Jul 2015 19:24:24 +0000 (22:24 +0300)]
Refactor channel list update event in wpa_supplicant
Update hardware features for all interfaces inside the loop, don't treat
the calling wpa_s instance specially. Perform the P2P channel list
updates after the hardware features are updated. This will prevent P2P
from relying on stale information.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:23 +0000 (22:24 +0300)]
P2P: Modify wpas_p2p_init_go_params()
Not all paths in wpas_p2p_init_go_params() verified that the candidate
frequency can be used for GO purposes. Fix this, and in addition
re-factor the code to put better emphasis on the frequency selection
priorities.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:22 +0000 (22:24 +0300)]
P2P: Remove GO handling in avoid frequency event
Remove the code that considers removing GOs from their current
channel due to frequency interference, as this is already handled
as part of the P2P channels update.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:21 +0000 (22:24 +0300)]
P2P: Move a GO to a frequency that is also supported by the client
A P2P GO interface that was instantiated after a GO Negotiation or
Invitation holds the intersection of frequencies between the GO and the
client. In case the GO is going to move to another frequency, allow it
to move only to a frequency that is also supported by the client.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:20 +0000 (22:24 +0300)]
P2P: Add a function to compute the group common freqs
Add a function to compute the group common frequencies, and
use it to update the group_common_frequencies as part of the
channel switch flows.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Ilan Peer [Mon, 27 Jul 2015 19:24:19 +0000 (22:24 +0300)]
P2P: Move a GO from its operating frequency
Upon any change in the currently used channels evaluate if a GO should
move to a different operating frequency, where the possible scenarios:
1. The frequency that the GO is currently using is no longer valid,
due to regulatory reasons, and thus the GO must be moved to some
other frequency.
2. Due to Multi Concurrent Channel (MCC) policy considerations, it would
be preferable, based on configuration settings, to prefer Same
Channel Mode (SCM) over concurrent operation in multiple channels.
The supported policies:
- prefer SCM: prefer moving the GO to a frequency used by some other
interface.
- prefer SCM if Peer supports: prefer moving the GO to a frequency
used by some other station interface iff the other station
interface is using a frequency that is common between the local and
the peer device (based on the GO Negotiation/Invitation signaling).
- Stay on the current frequency.
Currently, the GO transition to another frequency is handled by a
complete tear down and re-setup of the GO. Still need to add CSA flow to
the considerations.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Andrei Otcheretianski [Mon, 27 Jul 2015 19:24:18 +0000 (22:24 +0300)]
Share freq-to-channel conversion function
Add ieee80211_freq_to_channel_ext() conversion function into
ieee802_11_common.c. This function converts freq to channel and
additionally computes operating class, based on provided HT and VHT
parameters.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Jouni Malinen [Mon, 3 Aug 2015 15:52:10 +0000 (18:52 +0300)]
tests: Make dbus_p2p_group_termination_by_go more robust
Set peer_group_removed only if peer_group_added has already been set.
This fixes an issue where a propertiesChanged event triggered by an
earlier test case was able to get dbus_p2p_group_termination_by_go
terminated too early. This happened, e.g., with sequence
"dbus_p2p_two_groups dbus_p2p_group_termination_by_go".
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 3 Aug 2015 15:35:35 +0000 (18:35 +0300)]
tests: Avoid exception in dbus_p2p_two_groups
Only run peerJoined() steps once to avoid trying to use GetAll() on an
already removed group and double-removal of a group. This did not make
the test case fail, but the exception is printed out in pretty confusing
way to stdout, so better get rid of it.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 3 Aug 2015 14:54:31 +0000 (17:54 +0300)]
tests: hostapd ctrl_iface LOG_LEVEL
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 3 Aug 2015 14:53:52 +0000 (17:53 +0300)]
tests: Fix hostapd debug level
Remove the duplicated -ddKt command line argument to avoid setting
hostapd debug level to EXCESSIVE.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Srinivas Dasari [Sun, 2 Aug 2015 09:34:21 +0000 (15:04 +0530)]
hostapd: Add support to configure debug log level at runtime
Add support to read/configure log_level using hostapd control interface
LOG_LEVEL command similarly to what was already supported in
wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 3 Aug 2015 14:44:55 +0000 (17:44 +0300)]
Move debug level string conversion functions to wpa_debug.c
This makes it possible to use these helper functions from hostapd as
well as the current use in wpa_supplicant.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Mon, 3 Aug 2015 14:37:05 +0000 (17:37 +0300)]
FST: Mark fst_ies buffer const
This buffer is owned by the FST module, so mark it const in the
set_ies() callback to make it clearer which component is responsible for
modifying and freeing this.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Anton Nayshtut [Mon, 27 Jul 2015 13:45:36 +0000 (16:45 +0300)]
FST: Fix MB IE clearing on detach
This fixes an issue where freed MB IEs buffer memory could potentially
have been accessed after an interface is detached from FST group.
Without this fix, if an interface is detached from FST group, it can use
MB IEs buffer previously set by fst_iface_set_ies(), although the buffer
was released by fst_iface_delete().
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Daichi Ueura [Mon, 13 Jul 2015 15:31:22 +0000 (00:31 +0900)]
Android: Handle STATUS-NO_EVENTS command in wpa_cli
NO_EVENTS parameter was added to STATUS command by commit
a6ab82d7b409cd95c4e64452c2a672d4ce4c3c99 ('Android: Add NO_EVENTS
parameter to status command'). This patch adds handling of the new
parameter in wpa_cli so that "status no_events" can be used to specify
this parameter.
Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
Daichi Ueura [Mon, 13 Jul 2015 15:31:21 +0000 (00:31 +0900)]
Android: Make wpa_cli work on wifi.interface without extra params
Currently wpa_cli connects to global control interface if -i/-p
parameters are not specified. wpa_cli on global control interface
is not useful since the prefix like "IFNAME=wlan0 " needs to be
added to some commands like "IFNAME=wlan0 scan". And, specifying
-i/-p parameters every time is annoying. To improve efficiency of
debugging, this patch enables to make wpa_cli work without extra
parameters.
If you still want to connect to global control interface,
the following command can be used instead:
$ wpa_cli -g@android:wpa_wlan0 (or -gwlan0)
Signed-off-by: Daichi Ueura <daichi.ueura@sonymobile.com>
Masashi Honma [Wed, 8 Jul 2015 13:41:36 +0000 (22:41 +0900)]
mesh: Fix mesh SAE auth on low spec devices
The mesh SAE auth often fails with master branch. By bisect I found
commit
eb5fee0bf50444419ac12d3c7f38f27a47523a47 ('SAE: Add side-channel
protection to PWE derivation with ECC') causes this issue. This does not
mean the commit has a bug. This is just a CPU resource issue.
After the commit, sae_derive_pwe_ecc() spends 101(msec) on my PC (Intel
Atom N270 1.6GHz). But dot11RSNASAERetransPeriod is 40(msec). So
auth_sae_retransmit_timer() is always called and it can causes
continuous frame exchanges. Before the commit, it was 23(msec).
On the IEEE 802.11 spec, the default value of dot11RSNASAERetransPeriod
is defined as 40(msec). But it looks short because generally mesh
functionality will be used on low spec devices. Indeed Raspberry Pi B+
(ARM ARM1176JZF-S 700MHz) requires 287(msec) for new
sae_derive_pwe_ecc().
So this patch makes the default to 1000(msec) and makes it configurable.
This issue does not occur on infrastructure SAE because the
dot11RSNASAERetransPeriod is not used on it.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Johannes Berg [Fri, 17 Jul 2015 20:24:58 +0000 (22:24 +0200)]
tests: Work around iw scan getting stuck
On recent kernels, it seems that something changed (scheduler?)
that makes hwsim send the scan done event so quickly that iw isn't
scheduled back in to listen for it, causing iw to get stuck.
Work around this by using the scan trigger command (it'll be quick
enough so that we don't really need to wait) and the scan trigger
and dump commands where the results are required (and use a small
sleep there instead of waiting for the scan results.)
I'll try to fix this separately in iw later.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Sun, 2 Aug 2015 17:48:56 +0000 (20:48 +0300)]
tests: P2P extended listen timing operations
This verifies P2P extended listen timing operations by confirming that a
peer is not discoverable during the provisioning step and that the peer
becomes discoverable after having removed the group during such
provisioning step. The latter case was broken until the 'P2P: Cancel
group formation when deleting a group during group formation' commit.
Signed-off-by: Jouni Malinen <j@w1.fi>
Michael Olbrich [Thu, 30 Jul 2015 10:14:24 +0000 (12:14 +0200)]
P2P: Cancel group formation when deleting a group during group formation
Otherwise P2P remains in provisioning state and continues to skip
extended listening forever.
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Purushottam Kushwaha [Fri, 31 Jul 2015 04:54:04 +0000 (04:54 +0000)]
P2P: Fix update of listen_reg_class and listen_channel
Allow proper update for listen_reg_class and listen_channel with
changed_parameters [CFG_CHANGED_P2P_LISTEN_CHANNEL] configuration for
command received through ctrl_interface. Without this, "set
p2p_listen_channel" and "set p2p_listen_reg_class" do not update the
listen channel. The D-Bus version was already setting these flags.
Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>
Jouni Malinen [Sun, 2 Aug 2015 16:28:41 +0000 (19:28 +0300)]
tests: D-Bus PropertiesChanged events on P2P Peer.Groups
Verify that Groups list for a P2P Peer gets updated properly on group
addition and removal (three different paths).
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 2 Aug 2015 16:25:41 +0000 (19:25 +0300)]
P2P: Do not clear wpa_s->go_dev_addr before group removal
This variable is needed to figure out whether a wpa_supplicant interface
is for a P2P group that is (or was) connected to a specific GO. The
previous implementation was able to find such a case only when there was
an association with the GO. However, this may be needed even if there is
a temporary disconnection from the GO. Keep the GO device address
information over such temporary disconnections and only remove it on
group termination. This fixes an issue with D-Bus Peer PropertiesChanged
signals for the Groups property in case a P2P group gets removed due to
group idle timeout instead of explicit group termination command (local
request) or GO notification.
Signed-off-by: Jouni Malinen <j@w1.fi>
Gautam [Fri, 31 Jul 2015 09:04:30 +0000 (14:34 +0530)]
P2P: Fix P2P configuration file name
The P2P configuration file is wrongly set as STA configuration file,
even though a separate configuration file is mentioned with '-m' option.
Add initialization and deallocation of global.params->conf_p2p_dev to
fix this.
Signed-off-by: Gautam <gautams@broadcom.com>
Jouni Malinen [Sun, 2 Aug 2015 14:11:47 +0000 (17:11 +0300)]
tests: Run Suite B test cases with OpenSSL 1.1.0
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 2 Aug 2015 13:16:58 +0000 (16:16 +0300)]
tests: Skip ERP tests with EAP methods that are not supported
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 2 Aug 2015 12:58:08 +0000 (15:58 +0300)]
tests: Skip LEAP tests if not included in the build
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 2 Aug 2015 12:50:23 +0000 (15:50 +0300)]
tests: Skip IEEE 802.1X dynamic WEP tests in FIPS mode
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 20:37:07 +0000 (23:37 +0300)]
Add build option to remove all internal RC4 uses
The new CONFIG_NO_RC4=y build option can be used to remove all internal
hostapd and wpa_supplicant uses of RC4. It should be noted that external
uses (e.g., within a TLS library) do not get disabled when doing this.
This removes capability of supporting WPA/TKIP, dynamic WEP keys with
IEEE 802.1X, WEP shared key authentication, and MSCHAPv2 password
changes.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 19:54:07 +0000 (22:54 +0300)]
tests: Skip WPA(V1) test cases in FIPS mode
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 1 Aug 2015 19:39:21 +0000 (22:39 +0300)]
OpenSSL: Fix FIPS mode enabling in dynamic interface case
FIPS_mode_set(1) cannot be called multiple times which could happen in
some dynamic interface cases. Avoid this by enabling FIPS mode only
once. There is no code in wpa_supplicant to disable FIPS mode, so once
it is enabled, it will remain enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>