www.project-moonshot.org Git - mech

Do not send Acct-Authentic in Accounting-On/Off

Acct-Authentic is used to indicate how the user was authenticated and as
such, should not be sent in Accounting-On and Accounting-Off.

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>

RADIUS: Do not include Acct-Terminate-Cause in Accounting-On/Off

Per RFC 2866, 5.10, it is invalid to send Acct-Terminate-Cause in
Accounting-On and Accounting-Off (this is included only when
Acct-Status-Type is set to Stop).

Signed-off-by: Nick Lowe <nick.lowe@lugatech.com>

Make fallback from HT40 to HT20 work

Ensure that if it is not possible to configure an allowed 20 MHz
channel pair, hostapd falls back to a single 20 MHz channel.

Signed-off-by: Eduardo Abinader <eabinader@ocedo.com>

tests: Allow fallback to 20 MHz in ap_ht40_5ghz_invalid_pair

This test case for enforcing that AP setup fails in case there is need
to fall back to 20 MHz channel due to invalid 40 MHz configuration.
Modify this to allow successful AP startup as long as 40 MHz channel
does not get enabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

BSD: Zero ifindex on interface removal

If an interface is removed, zero the remembered ifindex.
Don't try to set properties on the interface when it is removed.

Signed-off-by: Roy Marples <roy@marples.name>

Android: Support multiple CA certs when connecting to EAP network

In the Android-specific case, make ca_cert directive parse a
space-separated list of hex-encoded CA certificate aliases following the
"keystores://" prefix. Server certificate validation should succeed as
long as the chain ends with one of them.

Signed-off-by: Rubin Xu <rubinxu@google.com>

tests: WNM BSS Transition Management with invalid operating class

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

WNM: Workaround for broken AP operating class behavior

Some APs do not advertise operating classes correctly for BSS Transition
Management. Try to determine the most likely operating frequency based
on the channel number (1..14 --> 2.4 GHz; 36..169 --> 5 GHz) if invalid
op_class == 0 is received in a BSS Transition Management Request. This
speeds up the following operating by avoiding a full scan due to an
unknown channel.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

BSD: Disable interface on down

Instead of removing the interface when downed, disable it. Enable it
when it comes back up again.

Signed-off-by: Roy Marples <roy@marples.name>

BSD: Use correct ifindex from route messages

Use the interface index from the correct structure according to the
message instead of assuming rtm_index is correct.

Signed-off-by: Roy Marples <roy@marples.name>

BSD: __FUNCTION__ -> __func__

Signed-off-by: Roy Marples <roy@marples.name>

OSU: Add debug printing of more LogotypeExtn fields

Couple of the image info fields were not printed previously in debug
log. Add those to make this more complete.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Add the selector suite into wpa_parse_wpa_ie_rsn() "invalid group cipher"

This makes it easier to debug AP selection issues in case of a invalid
RSN element or use of customer cipher suites that are not supported by
wpa_supplicant.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: P2P persistent group re-invocation with peer having dropped info

This verifies that the persistent group information gets dropped based
on peer response (unknown group) and that a new group formation can be
completed after such invitation failure.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: EAP-TLS error cases

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: EAP-TLS protocol tests

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Generate new certificates for Suite B test cases

The previous version expired in January. The new ones are from running
ec-generate.sh and ec2-generate.sh again.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

VHT: Add an interoperability workaround for 80+80 and 160 MHz channels

Number of deployed 80 MHz capable VHT stations that do not support 80+80
and 160 MHz bandwidths seem to misbehave when trying to connect to an AP
that advertises 80+80 or 160 MHz channel bandwidth in the VHT Operation
element. To avoid such issues with deployed devices, modify the design
based on newly proposed IEEE 802.11 standard changes.

This allows poorly implemented VHT 80 MHz stations to connect with the
AP in 80 MHz mode. 80+80 and 160 MHz capable stations need to support
the new workaround mechanism to allow full bandwidth to be used.
However, there are more or less no impacted station with 80+80/160
capability deployed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

nl8021: Avoid potential memory leak on error path

The called function nl80211_ht_vht_overrides() was not freeing "msg"
resource in error cases.

Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>

tests: Verify that ip_addr_* gets written to config file

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Allow re-write of ip_addr* configurations to conf file.

This patch keeps ip_addr* configuration in conf file while
updating supplicant conf file either internally by supplicant or
due to save_config command.

Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>
Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>

dbus: Restrict DeviceName size to 32 characters in setter

The maximum WPS Device Name length is 32 characters and that limit was
already enforced for the control interface and configuration files.

Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>

Sort options and reduce printf calls in wpa_supplicant usage text

Signed-off-by: Roy Marples <roy@marples.name>

Fix wpa_supplicant build with IEEE8021X_EAPOL=y and CONFIG_NO_WPA=y

The PMKSA caching and RSN pre-authentication components were marked as
conditional on IEEE8021X_EAPOL. However, the empty wrappers are needed
also in a case IEEE8021X_EAPOL is defined with CONFIG_NO_WPA.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Roam between two WPA2-PSK APs and try to hit a disconnection race

This is a regression test case for hostapd bug where the
disconnection/deauthentication TX status callback timeout could be
forgotten after new association if no ACK frame was received and the STA
managed to reconnect within two seconds.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

AP: Print interface name in more STA events

This makes it easier to follow a debug log from a hostapd process that
manages multiple interfaces.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

AP: Fix Deauth/Disassoc TX status timeout handling

The ap_sta_deauth_cb and ap_sta_disassoc_cb eloop timeouts are used to
clear a disconnecting STA from the kernel driver if the STA did not ACK
the Deauthentication/Disassociation frame from the AP within two
seconds. However, it was possible for a STA to not ACK such a frame,
e.g., when the disconnection happened due to hostapd pruning old
associations from other BSSes and the STA was not on the old channel
anymore. If that same STA then started a new authentication/association
with the BSS, the two second timeout could trigger during this new
association and result in the STA entry getting removed from the kernel.

Fix this by canceling these eloop timeouts when receiving an indication
of a new authentication or association.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

EAP peer: Use ifdef PCSC_FUNCS to get rid of compiler warnings

clang started warning about the use of || with constants that came from
PCSC_FUNCS not being enabled in the build. It seems to be easier to just
ifdef this block out completely since that has the same outcome for
builds that do not include PC/SC support.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

FST: Get rid of gcc extensions in structure/array initialization

These constructions were causing warnings when build with clang.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

hs20-osu-client: Fix check for osu_nai being available

This is an array, so the pointer is never NULL; need to check that the
first character is not '\0' instead.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Fix EAP-SAKE error test case coverage

This was missing the second eap_sake_compute_mic() call in
eap_sake_process_confirm().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: More EAP-MSCHAPv2 error coverage

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Fix wpas_ctrl_oom

The OpenSSL memory allocation changes broke this test case. Fix this by
removing the cases that do not get triggered anymore and add a separate
wpas_ctrl_error test case to cover the fail_test() versions of errors.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

OpenSSL: Clean up openssl_digest_vector() to use a single implementation

Use compatibility wrapper functions to allow a single implementation
based on the latest OpenSSL API to be used to implement these functions
instead of having to maintain two conditional implementation based on
the library version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

OpenSSL: Clean up crypto_hash_*() to use a single implementation

Use compatibility wrapper functions to allow a single implementation
based on the latest OpenSSL API to be used to implement these functions
instead of having to maintain two conditional implementation based on
the library version.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

LibreSSL: Fix build with LibreSSL

The changes needed for OpenSSL 1.1.0 had broken this since LibreSSL is
defining OPENSSL_VERSION_NUMBER in a manner that claims it to be newer
than the current OpenSSL version even though it does not support the
current OpenSSL API.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

EAP-TTLS peer: Fix success after fragmented final Phase 2 message

If the final Phase 2 message needed fragmentation, EAP method decision
was cleared from UNCOND_SUCC or COND_SUCC to FAIL and that resulted in
the authentication failing when the EAP-Success message from the server
got rejected. Fix this by restoring the EAP method decision after
fragmentation.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Clean up eap_proto_ikev2

Use helper variable to indicate end of the test case instead of having
to use a fixed length of the loop.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: EAP-IKEv2 with default fragment_size

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: More EAP-SIM and EAP-AKA local error coverage

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: fail_test instead of alloc_fail for aes_{encrypt,decrypt}_init

This is needed to fix ap_wpa2_eap_psk_oom, ap_wpa2_eap_sim_oom,
eap_proto_psk_errors, and ap_ft_oom with the new OpenSSL dynamic memory
allocation design.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: aes_encrypt_init() and aes_decrypt_init() to use TEST_FAIL

Now the these functions cannot be made to fail by forcing the memory
allocation fail since the OpenSSL-internal version is used, add
TEST_FAIL check to allow OOM test cases to be converted to use the
TEST_FAIL mechanism without reducing coverage.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

OpenSSL: Use EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0

The EVP_CIPHER_CTX structure will be made opaque in OpenSSL 1.1.0, so
need to use EVP_CIPHER_CTX_new() with it instead of stack memory. The
design here moves the older OpenSSL versions to use that dynamic
allocation design as well to minimize maintenance effort.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

OpenSSL: Update session_secret callback to match OpenSSL 1.1.0 API

The SSL_CIPHER **cipher argument was marked const in OpenSSL 1.1.0
pre-release 2 similarly to how this is in BoringSSL. Fix build with that
in preparation for supporting OpenSSL 1.1.0.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Additional EAP-pwd error case coverage

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

EAP server: Simplify EAP method registration call

Free the allocated structure in error cases to remove need for each EAP
method to handle the error cases separately. Each registration function
can simply do "return eap_server_method_register(eap);" in the end of
the function.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

EAP peer: Simplify EAP method registration call

Free the allocated structure in error cases to remove need for each EAP
method to handle the error cases separately. Each registration function
can simply do "return eap_peer_method_register(eap);" in the end of the
function.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

EAP-WSC peer: Remove unused state values

The FRAG_ACK and DONE state were not used at all, so remove them.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: WPS and EAP-WSC in network profile

This goes through some error paths that do not really show up in real
WPS use cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Fix ERP anonymous_identity test cases

These need to be run without realm in the identity value to allow the
realm from the anonymous_identity to be used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: EAP-WSC protocol tests

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Renew the expired OCSP responder certificate

This certificate expired and that makes couple of test cases fail.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: EAP protocol tests for canned EAP-Success after identity

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: ERP and local error cases

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: ERP and anonymous identity

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

bsd: Optimize socket use

Create global init to handle socket calls and route messages.
Register each interface inside the global driver so that
routing messages can find the interface based on rtm_ifindex.

Signed-off-by: Roy Marples <roy@marples.name>

nl80211: Report disassociated STA / lost peer for the correct BSS

We shouldn't use drv->ctx as it always points to the first BSS. When
using FullMAC driver with multi-BSS support it resulted in incorrect
treating nl80211 events. I noticed with with brcmfmac and BCM43602.

Before my change I was getting "disassociated" on a wrong interface:
wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: associated
wlan0-1: STA 78:d6:f0:00:11:22 WPA: pairwise key handshake completed (RSN)
wlan0: STA 78:d6:f0:00:11:22 IEEE 802.11: disassociated

With this patch it works as expected:
wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: associated
wlan0-1: STA 78:d6:f0:00:11:22 WPA: pairwise key handshake completed (RSN)
wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: disassociated

This doesn't apply to hostapd dealing with SoftMAC drivers when handling
AP SME & MLME is done it hostapd not the firmware.

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>

Drop OpenSSL 0.9.8 patches to add EAP-FAST support

The OpenSSL project will not support version 0.9.8 anymore. As there
won't be even security fixes for this branch, it is not really safe to
continue using 0.9.8 and we might as well drop the EAP-FAST patches for
it.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: EAP-SIM/AKA with external GSM/UMTS auth failing

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: EAP-SIM with external GSM auth and replacing SIM

These test cases verify that EAP-SIM with external GSM auth supports the
use case of replacing the SIM. The first test case does this incorrectly
by not clearing the pseudonym identity (anonymous_identity in the
network profile) while the second one clears that and shows successful
connection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

OpenSSL: Fix client certificate chain building after PKCS#12 use

If wpa_supplicant was first configured with PKCS #12 -based client
certificate chain and then used with another network profile that used a
different certificate chain from a X.509 certificate PEM file instead of
PKCS#12, the extra certificate chain was not reconstructed properly with
older versions of OpenSSL that 1.0.2. This could result in the
authentication failing due to the client certificate chain not being
complete or including incorrect certificates.

Fix this by clearing the extra certificate chain when setting up a new
TLS connection with OpenSSL 1.0.1. This allows OpenSSL to build the
chain using the default mechanism in case the new TLS exchange does not
use PKCS#12.

The following hwsim test case sequence was able to find the issue:
ap_wpa2_eap_tls_pkcs12 ap_wpa2_eap_tls_intermediate_ca_ocsp

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

ACS: Remove unreachable case from a debug print

n_chans can have only values 1, 2, or 4 in this function, so the -1 case
could never be reached. Remove the unreachable case to get rid of static
analyzer warnings.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Remove a pointer check that can never be true

chan is set to the result of pointer arithmetic (pointer to an entry in
an array) that can never be NULL. As such, there is no need to check for
it to be non-NULL before deference. Remove this check to avoid
complaints from static analyzers.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

ACS: Be more consistent with iface->current_mode checks

Offloading of ACS to the driver changed the design a bit in a way that
iface->current_mode could actually be NULL when the offloaded ACS
mechanism supports band selection in addition to channel selection. This
resulted in a combination that is too complex for static analyzers to
notice. While acs_init() can be called with iface->current_mode == NULL
that is only in the case where WPA_DRIVER_FLAGS_ACS_OFFLOAD is in use.
In other words, the actual ACS functions like acs_cleanup() that would
dereference iface->current_mode are not used in such a case.

Get rid of static analyzer warnings by explicitly checking
iface->current_mode in acs_init() for the case where ACS offloading is
not used.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

P2P: Print find_start in debug log when ignoring old scan results

This makes it easier to debug issues with old scan results being ignored
during P2P_FIND. A single rx_time would have been fine with
os_gettime(), but with os_get_reltime(), both rx_time and find_start
values are needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

l2_packet: Extend bridge workaround RX processing to cover two frames

There was a race condition in how the l2_packet sockets got read that
could result in the same socket (e.g., non-bridge) to process both the
EAP-Success and the immediately following EAPOL-Key msg 1/4 instead of
each frame going in alternative order between the bridge and non-bridge
sockets. This could be hit, e.g., if the wpa_supplicant process did not
have enough CPU to process all the incoming frames without them getting
buffered and both sockets reporting frames simultaneously.

This resulted in the duplicated EAP-Success frame getting delivered
twice for processing and likely also the EAPOL-Key msg 1/4 getting
processed twice. While the latter does not do much harm, the former did
clear the EAP authentication state and could result in issues.

Fix this by extended the l2_packet Linux packet socket workaround for
bridge to check for duplicates against the last two received frames
instead of just the last one.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Make eap_check_auth() error on missing selectedMethod clearer

It was possible to hit an error case in ap_wpa2_eap_in_bridge where the
selectedMethod STATUS field was not available. This resulted in not very
helpful "'selectedMethod'" message in the test log file. Make this
clearer by dumping all received STATUS fields and a clearer exception
message indicating that selectedMethod was missing.

Signed-off-by: Jouni Malinen <j@w1.fi>

l2_packet: Improve bridge workaround RX processing

It was possible for the packet socket on the bridge interface to receive
own transmitted frames between the bridge and non-bridge sockets
receiving the same incoming frame from a foreign host. This resulted in
the hash checksum validation step failing to notice a duplicate RX due
to the own frame updating the store hash value.

The own frame did get dropping in RX EAPOL processing, but that was too
late to address the issue with duplicate RX. Fix this by dropping own
frames already in l2_packet layer before checking and updating the last
RX hash value.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: EAP-PAX local error cases

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-PAX: Check hmac_sha1_vector() return value

This function can fail at least in theory, so check its return value
before proceeding. This is mainly helping automated test case coverage
to reach some more error paths.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: WPS and EAP-WSC error cases

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: EAP-OTP local error cases

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: WPA2-Enterprise connection using EAP-TTLS/EAP-GTC (OOM)

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: EAP-EKE peer OOM in building ID message

The previous attempt at testing this path ended up selecting a different
wpabuf_alloc() call.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: WPA2-Enterprise connection using EAP vendor test (OOM)

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Speed up discovery_group_client and nfc_p2p_client

There is no need for these to go through a full scan when the GO
operating channel is known.

Signed-off-by: Jouni Malinen <j@w1.fi>

P2P: Clear groups first on FLUSH command

This is needed to get proper P2P group removal processing for some test
cases. discovery_group_client followed by nfc_p2p_client was able to hit
a case where the P2P group idle timeout survived to the next group
instance because of the FLUSH command not clearing the group and this
timeout properly.

Signed-off-by: Jouni Malinen <j@w1.fi>

mesh: Do not force another peering exchange on driver event

If the local driver indicated a peer candidate event when the peer had
already initiated peering exchange in open mesh case, we used to force a
new exchange to be started instead of allowing the previously started
exchange to complete. This is not desirable, so make this initiation of
the new exchange conditional on there not being an already started (or
successfully completed) exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>

mesh: Do not clear link state on driver event if exchange was started

If the local driver event for a new peer candidate arrived only after
the peer had already initiated the peering exchange, we used to clear
the link state. This resulted in the already completed (or in progress)
exchange getting abandoned and a new exchange initiated. This is not
desirable since the already started (or even completed) exchange can be
used. Clear the link state only when adding the new STA entry for the
first time, i.e., use the same !sta->my_lid condition in handling the
driver event similarly to how the peer initiated cases were already
handled.

Signed-off-by: Jouni Malinen <j@w1.fi>

mesh: Add some more details to MPM debug messages

This makes it easier to follow the debug log when trying to figure out
issues with mesh peering exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>

nl80211: Add a missing space to a debug message

The "nl80211: New peer candidate" debug message did not have a space
before the MAC address.

Signed-off-by: Jouni Malinen <j@w1.fi>

mesh: Connection and group started/removed events into debug log

The messages were sent out with wpa_msg_ctrl() so they were not visible
in the debug log. However, these would be quite helpful strings to
search for in the debug log, so change these messages to use wpa_msg().

Signed-off-by: Jouni Malinen <j@w1.fi>

Add more hostapd.conf documentation for hw_mode with HT/VHT

Try to make it more obvious that hw_mode=a needs to be used with HT and
VHT when using the 5 GHz band.

Signed-off-by: Jouni Malinen <j@w1.fi>

EAP-PEAP peer: Cryptobinding in fast-reconnect case with inner EAP

This was reported to fail with Windows 2012r2 with "Invalid Compound_MAC
in cryptobinding TLV". It turns out that the server decided to go
through inner EAP method (EAP-MSCHAPv2 in the reported case) even when
using PEAP fast-reconnect. This seems to be against the [MS-PEAP]
specification which claims that inner EAP method is not used in such a
case. This resulted in a different CMK being derived by the server (used
the version that used ISK) and wpa_supplicant (used the version where
IPMK|CMK = TK without ISK when using fast-reconnect).

Fix this interop issue by making wpa_supplicant to use the
fast-reconnect version of CMK derivation only when using TLS session
resumption and the server having not initiated inner EAP method before
going through the cryptobinding exchange.

Signed-off-by: Jouni Malinen <j@w1.fi>

P2P: Try SD Query with each non-ACK peer only once per search iteration

The previous behavior of bursting out all retry attempts of an SD Query
frame during a single search/listen iteration does not look very helpful
in the case where the peer does not ACK the query frame. Since the peer
was found in the search, but is not ACKing frames anymore, it is likely
that it left its listen state and we might as well do something more
useful to burst out a significant number of frames in hopes of seeing
the peer.

Modify the SD Query design during P2P Search to send out only a single
attempt (with likely multiple link-layer retries, if needed) per
search/listen iteration to each peer that has pending SD queries. Once
no more peers with pending queries remain, force another Listen and
Search phase to go through before continuing with the pending SD
queries.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

Clear wpa_supplicant state to DISCONNECTED on FLUSH command

It was possible for the FLUSH command to trigger auto connect mechanism
to schedule a new scan in 100 ms. This is not desired since all the
network profiles will be removed immediately and the scan or an attempt
to reconnect would not be of any benefit here. Such a scan in 100 ms can
cause issues for cases where multiple test sequences are run back to
back, so prevent this by clearing wpa_supplicant state to DISCONNECTED
(which avoids scheduling of the 100 ms scan trigger on disconnection) if
the state was AUTHENTICATING or higher when the FLUSH command was
issued.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Make P2P discovery on non-social channel cases more robust

The test cases discovery_ctrl_char_in_devname and discovery_group_client
tried to allow three P2P_FIND instances to be used before reporting an
error. However, this did not really work properly since the second and
third attempts would likely fail to start the initial special P2P_FIND
scan due to an already ongoing p2p_scan operation. Fix this by stopping
the previous P2P_FIND and waiting for the scan to complete if a retry is
needed.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

HS 2.0: Add some documentation for OSEN and network block use

This adds notes on how wpa_supplicant can be configured for OSEN for a
link-layer protected online signup connection and how network profiles
can be set for a Hotspot 2.0 data connection when using external
Interworking network selection.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: EAP-LEAP protocol tests (error paths)

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: wpa_supplicant AP mode - unexpected P2P IE in Association Request

This verifies that there is no NULL pointer dereference when the AP code
processes Probe Request and (Re)Association Request frames with a P2P IE
in case P2P support is explicitly disabled on the AP mode interface.
This is a regression test case for the fixes in the previous commit.

Signed-off-by: Jouni Malinen <j@w1.fi>

Fix wpa_supplicant AP mode P2P IE handling if P2P is disabled

If P2P support is included in wpa_supplicant build (CONFIG_P2P=y), but
P2P functionality is explicitly disabled (e.g., "P2P_SET disabled 1"),
couple of AP management frame processing steps did not check against
hapd->p2p_group being NULL and could end up dereferencing a NULL pointer
if a Probe Request frame or (Re)Association Request frame was received
with a P2P IE in it. Fix this by skipping these steps if hapd->p2p_group
is NULL.

Signed-off-by: Jouni Malinen <j@w1.fi>

Fix wpa_supplicant build with CONFIG_L2_PACKET=pcap

Commit e6dd8196e5daf39e4204ef8ecd26dd50fdca6040 ('Work around Linux
packet socket regression') forgot to add the l2_packet_init_bridge()
wrapper for l2_packet_pcap.c while updating all the other l2_packet
options. This resulted in wpa_supplicant build failing due to missing
l2_packet_init_bridge() function when using CONFIG_L2_PACKET=pcap in
wpa_supplicant/.config. Fix this by adding the wrapper function.

Signed-off-by: Jouni Malinen <j@w1.fi>

Update copyright notices for the new year 2016

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: WPS PIN provisioning with configured AP (WPA+WPA2)

Signed-off-by: Jouni Malinen <j@w1.fi>

WPS: Testing mechanism to force auth/encr type flags

The new wps_force_{auth,encr}_types parameters can be used in test build
(CONFIG_WPS_TESTING) to force wpa_supplicant to use the specified value
in the Authentication/Encryption Type flags attribute. This can be used
to test AP behavior on various error cases for which there are
workarounds to cover deployed device behavior.

Signed-off-by: Jouni Malinen <j@w1.fi>

WPS: Add a workaround for WPA2PSK missing from Enrollee auth flags

Some deployed implementations seem to advertise incorrect information in
this attribute. A value of 0x1b (WPA2 + WPA + WPAPSK + OPEN, but no
WPA2PSK) has been reported to be used. Add WPA2PSK to the list to avoid
issues with building Credentials that do not use the strongest actually
supported authentication option (that device does support WPA2PSK even
when it does not claim it here).

Signed-off-by: Jouni Malinen <j@w1.fi>

WPS: Do not build Credential with unsupported encr combination on AP

It was possible for the Registrar code to generate a Credential with
auth type WPAPSK (i.e., WPA v1) with encr type AES if the Enrollee
claimed support for WPAPSK and not WPA2PSK while the AP was configured
in mixed mode WPAPSK+WPA2PSK regardless of how wpa_pairwise (vs.
rsn_pairwise) was set since encr type was selected from the union of
wpa_pairwise and rsn_pairwise. This could result in the Enrollee
receiving a Credential that it could then not use with the AP.

Fix this by masking the encryption types separately on AP based on the
wpa_pairwise/rsn_pairwise configuration. In the example case described
above, the Credential would get auth=WPAPSK encr=TKIP instead of
auth=WPAPSK encr=AES.

Signed-off-by: Jouni Malinen <j@w1.fi>

tests: Use full prefix of the P2P-GO-NEG-FAILURE

Couple of waits for this event used the "GO-NEG-FAILURE" string instead
of the full event prefix. While this worked in the tests due to a
substring matching, it is better to use the full event prefix here.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

tests: Do not dump pending events in p2p_go_neg_init timeout=0 case

It was possible for the dump_monitor() call to drop a P2P-GO-NEG-FAILURE
event that was indicated quickly after the P2P_CONNECT command was
issued. This could result in grpform_reject test case failing to see the
expected event and fail the test due to "Rejection not reported".

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>

HS 2.0: Postpone WNM-Notification sending by 100 ms

This makes it somewhat easier for the station to be able to receive and
process the encrypted WNM-Notification frames that the AP previously
sentt immediately after receiving EAPOL-Key msg 4/4. While the station
is supposed to have the TK configured for receive before sending out
EAPOL-Key msg 4/4, not many actual implementations do that. As such,
there is a race condition in being able to configure the key at the
station and the AP sending out the first encrypted frame after EAPOL-Key
4/4. The extra 100 ms time here makes it more likely for the station to
have managed to configure the key in time.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>