Jouni Malinen [Wed, 14 Jan 2015 11:24:09 +0000 (13:24 +0200)]
D-Bus: Clear cached EAP data on network profile changes
This makes D-Bus network profile Set(Properties) clear cached EAP data
similarly to how SET_NETWORK does for control interface.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 14 Jan 2015 10:14:31 +0000 (12:14 +0200)]
Include peer certificate always in EAP events
This makes it easier for upper layer applications to get information
regarding the server certificate without having to use a special
certificate probing connection. This provides both the SHA256 hash of
the certificate (to be used with ca_cert="hash://server/sha256/<hash>",
if desired) and the full DER encoded X.509 certificate so that upper
layer applications can parse and display the certificate easily or
extract fields from it for purposes like configuring an altsubject_match
or domain_suffix_match.
The old behavior can be configured by adding cert_in_cb=0 to
wpa_supplicant configuration file.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 13 Jan 2015 23:38:26 +0000 (01:38 +0200)]
Get rid of a compiler warning
Commit
e7d0e97bdbdc996564f06b382af3d5a5164a8fb3 ('hostapd: Add vendor
specific VHT extension for the 2.4 GHz band') resulted in a compiler
warning regarding comparison between signed and unsigned integers at
least for 32-bit builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 16 Dec 2014 14:07:54 +0000 (16:07 +0200)]
tests: Subset of VHT functionality on 2.4 GHz
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 13 Jan 2015 22:50:58 +0000 (00:50 +0200)]
Extend VENDOR_ELEM parameters to cover non-P2P Association Request
The new VENDOR_ELEM value 13 can now be used to add a vendor element
into all (Re)Association Request frames, not just for P2P use cases like
the previous item was for.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Jouni Malinen [Tue, 13 Jan 2015 23:11:08 +0000 (01:11 +0200)]
tests: Add room for more vendor elems in wpas_ctrl_vendor_elem
This test case was verifying that the first unused VENDOR_ELEM value
above the current maximum is rejected. That makes it a bit inconvenient
to add new entries, so increase the elem value to leave room for new
additions without having to continuously modify this test case.
Signed-off-by: Jouni Malinen <j@w1.fi>
Yanbo Li [Mon, 10 Nov 2014 15:12:29 +0000 (23:12 +0800)]
hostapd: Add vendor specific VHT extension for the 2.4 GHz band
This allows vendor specific information element to be used to advertise
support for VHT on 2.4 GHz band. In practice, this is used to enable use
of 256 QAM rates (VHT-MCS 8 and 9) on 2.4 GHz band.
This functionality is disabled by default, but can be enabled with
vendor_vht=1 parameter in hostapd.conf if the driver advertises support
for VHT on either 2.4 or 5 GHz bands.
Signed-off-by: Yanbo Li <yanbol@qti.qualcomm.com>
Jouni Malinen [Sun, 11 Jan 2015 21:29:48 +0000 (23:29 +0200)]
GnuTLS: Add TLS event callbacks for chain success/failure and peer cert
This makes GnuTLS events match the ones provided when OpenSSL is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 21:13:35 +0000 (23:13 +0200)]
tests: Valid OCSP response with revoked and unknown cert status
This increases testing coverage for OCSP processing by confirming that
valid OCSP response showing revoked certificate status prevents
successful handshake completion. In addition, unknown certificate status
is verified to prevent connection if OCSP is required and allow
connection if OCSP is optional.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:07:13 +0000 (19:07 +0200)]
GnuTLS: Add support for OCSP stapling as a client
This allows ocsp=2 to be used with wpa_supplicant when built with GnuTLS
to request TLS status extension (OCSP stapling) to be used to validate
server certificate validity.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 18:17:51 +0000 (20:17 +0200)]
tests: Generate a fresh OCSP response for each test run
GnuTLS has a hardcoded three day limit on OCSP response age regardless
of the next update value in the response. To make this work in the test
scripts, try to generate a new response when starting the authentication
server. The old mechanism of a response without next update value is
used as a backup option if openssl is not available or fails to generate
the response for some reason.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:55:04 +0000 (19:55 +0200)]
tests: Verify mesh support for wpas_add_set_remove_support
This test case fails if wpa_supplicant is built without mesh support, so
need to check for this.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:45:56 +0000 (19:45 +0200)]
tests: Check mesh capability based on the modes capabilities list
This is more robust than checking the driver capability because it is
also possible for the wpa_supplicant build to be configured without mesh
support regardless of whether the driver supports it.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:44:23 +0000 (19:44 +0200)]
Add MESH to modes capabilities
This makes it easier for upper layer programs to figure out whether the
wpa_supplicant and and the driver supports mesh.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:42:57 +0000 (19:42 +0200)]
tests: Verify that SAE is supported for test cases requiring it
This makes it more convenient to run tests with wpa_supplicant builds
that do not support SAE (e.g., due to crypto library not providing
sufficient functionality for this).
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 17:41:01 +0000 (19:41 +0200)]
Add SAE to auth_alg capabilities
This makes it easier for upper layer programs to figure out whether the
wpa_supplicant and and the driver supports SAE.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 16:49:14 +0000 (18:49 +0200)]
tests: Skip ap_wpa2_eap_ttls_server_cert_hash if probing not supported
The ca_cert="probe://" functionality is currently supported only with
OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 16:45:59 +0000 (18:45 +0200)]
GnuTLS: Verify that server certificate EKU is valid for a server
The server certificate will be rejected if it includes any EKU and none
of the listed EKUs is either TLS Web Server Authentication or ANY.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 16:13:17 +0000 (18:13 +0200)]
GnuTLS: Fix tls_disable_time_checks=1 processing
Certificate expiration is checked both within GnuTLS and in the
tls_gnutls.c implementation. The former was configured to use the
request to ignore time checks while the latter was not. Complete support
for this parameter by ignoring the internal expiration checks if
requested.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 16:07:54 +0000 (18:07 +0200)]
GnuTLS: Add support for private_key and client_cert as blobs
This allows private key and client certificate to be configured using
wpa_supplicant blobs instead of external files.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 16:02:52 +0000 (18:02 +0200)]
tests: Use RSA key format in ap_wpa2_eap_tls_blob
This format as a DER encoded blob is supported by both OpenSSL and
GnuTLS while the previous OpenSSL specific format did not get accepted
by GnuTLS.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 15:37:32 +0000 (17:37 +0200)]
tests: Split domain_suffix_match test cases based on match type
With GnuTLS, domain_suffix_match is currently requiring full match, so
split the test cases in a way that can be reported more cleanly as PASS
or SKIP based on TLS library behavior.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 15:43:30 +0000 (17:43 +0200)]
tests: Add ca_cert to username/password Hotspot 2.0 credentials
Proper configuration should be used here to get server validation
enabled, so update the test cases to provide the ca_cert parameter. This
was included in number of existing test cases, but not all.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 15:05:59 +0000 (17:05 +0200)]
tests: Split subject_match and altsubject_match to separate test cases
These parameters are supported only with OpenSSL, so split any test case
that used those for a successful connection into two test cases. Skip
all test cases where these are used without the selected TLS library
supporting them to avoid reporting failures incorrectly. Though, verify
that subject_match and altsubject_match get rejected properly if TLS
library does not support these.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 14:57:26 +0000 (16:57 +0200)]
GnuTLS: Fix DER encoding certificate parsing
It looks like GnuTLS may return success on
gnutls_certificate_set_x509_*() functions with GNUTLS_X509_FMT_PEM even
when trying to read DER encoded information. Reverse the order of
parsing attempts so that we start with DER and then move to PEM if
GnuTLS reports failure on DER parsing. This seems to be more reliable
way of getting errors reported and both cases can now be handled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 14:01:08 +0000 (16:01 +0200)]
tests: Skip EAP-pwd and EAP-FAST test cases if not supported
Check wpa_supplicant EAP capability and skip EAP-pwd and EAP-FAST test
cases if the build did not include support for these. This is cleaner
than reporting failures for such test cases when the selected TLS
library does not support the EAP method.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 13:59:58 +0000 (15:59 +0200)]
tests: Fix crypto module test build without EAP-FAST
Skip the EAP-FAST specific test cases if wpa_supplicant build is
configured not to include EAP-FAST support.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 13:38:34 +0000 (15:38 +0200)]
tests: Skip OpenSSL cipher string tests with other TLS libraries
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 13:37:38 +0000 (15:37 +0200)]
Add "GET tls_library" to provide information on TLS library and version
This new wpa_supplicant and hostapd control interface command can be
used to determine which TLS library is used in the build and what is the
version of that library.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 11:59:50 +0000 (13:59 +0200)]
GnuTLS: Add event callbacks
This allows wpa_supplicant to provide more information about peer
certificate validation results to upper layers similarly to the
mechanism used with OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 11:29:17 +0000 (13:29 +0200)]
GnuTLS: Add support for domain_suffix_match
This implementation uses GnuTLS function
gnutls_x509_crt_check_hostname(). It has a bit different rules regarding
matching (allows wildcards in some cases, but does not use suffix
matching) compared to the internal implementation used with OpenSSL.
However, these rules are sufficiently close to each other to be of
reasonable use for most cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 11:05:28 +0000 (13:05 +0200)]
GnuTLS: Check for any unknown verification failure
After having checked all known GNUTLS_CERT_* error cases that we care
about, check that no other errors have been indicated by
gnutls_certificate_verify_peers2() as a reason to reject negotiation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 11:01:50 +0000 (13:01 +0200)]
GnuTLS: Add more debug prints for version and session status
Make the debug output more useful for determining whuch version of
GnuTLS was used and what was negotiated for the session.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 10:43:17 +0000 (12:43 +0200)]
GnuTLS: Move peer certificate validation into callback function
GnuTLS 2.10.0 added gnutls_certificate_set_verify_function() that can be
used to move peer certificate validation to an earlier point in the
handshake. Use that to get similar validation behavior to what was done
with OpenSSL, i.e., reject the handshake immediately after receiving the
peer certificate rather than at the completion of handshake.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 09:45:53 +0000 (11:45 +0200)]
GnuTLS: Remove support for versions older than 2.12.x
GnuTLS project has marked 2.12.x obsolete since January 2014. There is
not much need for maintaining support for obsolete versions of the
library, so drop all #if/#endif blocks targeting 2.x.y versions. In
practice, none of these were requiring 2.12.x version with x greater
than 0, so 2.12.x remains supported for now.
In addition, add newer version (GnuTLS 3.0.18 and newer) to fetch client
and server random from the session since the old method is not supported
by new GnuTLS versions and as such, gets removed with rest of the old
ifdef blocks.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 09:13:20 +0000 (11:13 +0200)]
GnuTLS: Remove old version number checks for 1.3.2
No one should be using GnuTLS versions older than 1.3.2 from 2006
anymore, so remove these unnecessary #if/#endif checks.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sun, 11 Jan 2015 09:11:03 +0000 (11:11 +0200)]
GnuTLS: Remove GNUTLS_INTERNAL_STRUCTURE_HACK
This was needed with very old GnuTLS versions, but has not been needed,
or used, since GnuTLS 1.3.2 which was released in 2006. As such, there
is no need to maintain this code anymore and it is better to just clean
the source code by removing all the related code.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 23:48:44 +0000 (01:48 +0200)]
GnuTLS: Add support for ca_cert as a blob
This allows GnuTLS to be used with trusted CA certificate from
wpa_supplicant blob rather than an external certificate file.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 23:35:54 +0000 (01:35 +0200)]
TLS: Reject openssl_ciphers parameter in non-OpenSSL cases
This TLS configuration parameter is explicitly for OpenSSL. Instead of
ignoring it silently, reject any configuration trying to use it in
builds that use other options for TLS implementation.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:56:17 +0000 (00:56 +0200)]
Work around Windows build issues
At least MinGW did not have ENOTCONN, EOPNOTSUPP, ECANCELED, so define
these to allow the build to go through.
wpas_rrm_send_neighbor_rep_request() is not really used on Windows, so
the exact error code values do not make any difference here.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:52:19 +0000 (00:52 +0200)]
Define host_to_le32() for Windows builds
This define had been forgotten at some point in time and wpa_supplicant
compilation for Windows failed with some recently added code that
depended on this.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:49:16 +0000 (00:49 +0200)]
Fix os_win32 build
Addition of os_memcmp_const() in commit
afc3c8b07ffcdccc9349c83dfd3cc904ad9fbfb1 had forgotten to include
common.h into os_win32.c to get u8 defined.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:43:30 +0000 (00:43 +0200)]
Remove Network Security Service (NSS) support
NSS as a TLS/crypto library alternative was never completed and this
barely functional code does not even build with the current NSS version.
Taken into account that there has not been much interest in working on
this crypto wrapper over the years, it is better to just remove this
code rather than try to get it into somewhat more functional state.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:57:33 +0000 (00:57 +0200)]
schannel: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with schannel.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with schannel instead of the default OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:37:21 +0000 (00:37 +0200)]
TLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented in the internal
TLS implementation. Instead of ignoring them silently, reject the
configuration to avoid giving incorrect impression of the parameters
being used if wpa_supplicant is built with the internal TLS
implementation instead of the default OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:33:48 +0000 (00:33 +0200)]
GnuTLS: Reject subject_match, altsubject_match, suffix_match
Validation of these parameters has not been implemented with GnuTLS.
Instead of ignoring them silently, reject the configuration to avoid
giving incorrect impression of the parameters being used if
wpa_supplicant is built with GnuTLS instead of the default OpenSSL.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:26:26 +0000 (00:26 +0200)]
Fix a typo in domain_suffix_match documentation
Spell SubjectName correctly.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:10:53 +0000 (00:10 +0200)]
tests: Increase altsubject_match testing coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 22:00:04 +0000 (00:00 +0200)]
Improve subject_match and domain_suffix_match documentation
These were already covered in both README-HS20 for credentials and in
header files for developers' documentation, but the copy in
wpa_supplicant.conf did not include all the details. In addition, add a
clearer note pointing at subject_match not being suitable for suffix
matching domain names; domain_suffix_match must be used for that.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 15:31:37 +0000 (17:31 +0200)]
trace: Fix out-of-memory testing logic
data.function needs to be set for the return value to be of any use and
strcmp won't work with NULL pointer either. (CID 99907)
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 15:12:18 +0000 (17:12 +0200)]
tests: bssid_blacklist and bssid_whitelist
Signed-off-by: Jouni Malinen <j@w1.fi>
Stefan Tomanek [Mon, 5 Jan 2015 20:10:16 +0000 (21:10 +0100)]
Add address masks to BSSID lists
In many applications it is useful not just to enumerate a group of well
known access points, but to use a address/mask notation to match an
entire set of addresses (ca:ff:ee:00:00:00/ff:ff:ff:00:00:00).
This change expands the data structures used by MAC lists to include a
mask indicating the significant (non-masked) portions of an address and
extends the list parser to recognize mask suffixes.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Stefan Tomanek [Mon, 5 Jan 2015 20:08:49 +0000 (21:08 +0100)]
Add network specific BSSID black and white lists
This change adds the configuration options "bssid_whitelist" and
"bssid_blacklist" used to limit the AP selection of a network to a
specified (finite) set or discard certain APs.
This can be useful for environments where multiple networks operate
using the same SSID and roaming between those is not desired. It is also
useful to ignore a faulty or otherwise unwanted AP.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Stefan Tomanek [Mon, 5 Jan 2015 20:08:40 +0000 (21:08 +0100)]
Add generic parser for MAC address lists
This change generalizes the code used for parsing the configuration
option 'p2p_client_list' and makes it suitable to use it in other
contexts.
Signed-off-by: Stefan Tomanek <stefan.tomanek@wertarbyte.de>
Jouni Malinen [Sat, 10 Jan 2015 11:16:42 +0000 (13:16 +0200)]
nl80211: Use a helper function to put mesh_id
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 11:14:20 +0000 (13:14 +0200)]
nl80211: Use a helper function for putting beacon interval
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 10:43:33 +0000 (12:43 +0200)]
Remove mesh_ht_mode network block parameter
There should not be a mesh-specific mechanism for setting up channel
parameters since that will just result in duplicated code. IBSS, mesh,
and AP mode can use the same data structures and parameters for setting
up such parameters.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 11:03:45 +0000 (13:03 +0200)]
mesh: Use the shared function with IBSS to determine channel parameters
Automatically enable HT20, HT40+, HT40-, or VHT, based on driver
capabilities. This obsoletes the mesh_ht_mode network block parameter
that was previously used to configure HT parameters.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 11:02:08 +0000 (13:02 +0200)]
mesh: Convert channel configuration to use common routines
Use struct hostapd_freq_params just like other modes do instead of
mesh-specific freq and ht_mode.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 10:52:50 +0000 (12:52 +0200)]
mesh: Use a separate variable to track whether HT is enabled
A network profile parameter should not be used to check whether the
currently operating mesh has HT enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 10:50:46 +0000 (12:50 +0200)]
nl80211: Move debug prints into nl80211_put_freq_params()
This way all callers can get the benefit of the same debug prints.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 10:49:41 +0000 (12:49 +0200)]
nl80211: Add a helper function for putting basic rates
There is no need for maintaining two more or less identical copies of
this functionality.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 10:39:42 +0000 (12:39 +0200)]
tests: Drop mesh_ht_mode parameter from mesh test cases
This network profile parameter will be removed with the cleanup that
makes mesh use shared functions for setting channel parameters. That
will allow HT to be enabled automatically based on driver capabilities.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Sat, 10 Jan 2015 10:04:25 +0000 (12:04 +0200)]
tests: Mesh in 5 GHz band
Signed-off-by: Jouni Malinen <j@w1.fi>
Janusz Dziedzic [Thu, 8 Jan 2015 11:48:36 +0000 (12:48 +0100)]
ibss/mesh: Enable HT40 if supported
Setup HT40+/HT40- if supported by driver.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Janusz Dziedzic [Thu, 8 Jan 2015 11:48:35 +0000 (12:48 +0100)]
Make check_40mhz_2g4 common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Janusz Dziedzic [Thu, 8 Jan 2015 11:48:34 +0000 (12:48 +0100)]
Make check_20mhz_bss common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Janusz Dziedzic [Thu, 8 Jan 2015 11:48:33 +0000 (12:48 +0100)]
Make check_40mhz_5g common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Janusz Dziedzic [Thu, 8 Jan 2015 11:48:32 +0000 (12:48 +0100)]
Make get_pri_sec_chan() common
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Janusz Dziedzic [Thu, 8 Jan 2015 11:48:31 +0000 (12:48 +0100)]
Introduce common allowed_ht40_channel_pair()
This can be used from hostapd/wpa_supplicant.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Janusz Dziedzic [Thu, 8 Jan 2015 11:48:30 +0000 (12:48 +0100)]
Use common hw_get_freq/hw_get_chan helpers in hostapd
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Janusz Dziedzic [Thu, 8 Jan 2015 11:48:29 +0000 (12:48 +0100)]
Introduce common hw features
Introduce wpa_supplicant/hostapd hw features.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Janusz Dziedzic [Wed, 7 Jan 2015 08:29:43 +0000 (09:29 +0100)]
IBSS: Add WPA_DRIVER_FLAGS_HT_IBSS
Add WPA_DRIVER_FLAGS_HT_IBSS driver feature flag. Some drivers could not
set this feature and next could fail when we will enable HT support for
IBSS with error message: nl80211: Join IBSS failed: ret=-22 (Invalid
argument).
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Bob Copeland [Wed, 7 Jan 2015 06:10:57 +0000 (01:10 -0500)]
SAE: Implement retransmission timer
Add the t0 retransmission timer as specified by IEEE Std 802.11-2012,
11.3.8.4. This makes SAE much more likely to succeed in the case of lost
frames.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Bob Copeland [Wed, 7 Jan 2015 06:10:56 +0000 (01:10 -0500)]
SAE: Centralize function for sending initial COMMIT
When performing SAE authentication in mesh, one station may
initiate authentication by sending a COMMIT as soon as a peer
candidate is discovered. Previously we did this in mesh_rsn.c,
but this left some of the state initialization in a different
part of the code from the rest of the state machine, and we may
need to add other initializations here in the future, so move
that to a more central function.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Imre Vadasz [Tue, 6 Jan 2015 14:08:37 +0000 (15:08 +0100)]
bsd: Fix parsing of ieee80211req_scan_result on FreeBSD and DragonFly
On FreeBSD and DragonFly BSD, we additionally need to skip the
isr_meshid_len bytes of the MESH ID, to get the correct address for
copying the IE data.
The isr_meshid_len field was added in the FreeBSD svn revision r195618
in 2009, so I don't think we need to check the FreeBSD version here.
Signed-off-by: Imre Vadász <imre@vdsz.com>
Narayan Kamath [Mon, 5 Jan 2015 11:39:15 +0000 (11:39 +0000)]
Android: Remove hardcoded ICU include paths from hs20-osu-client
ICU exports them using LOCAL_EXPORT_C_INCLUDE_DIRS.
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Johannes Berg [Fri, 9 Jan 2015 18:55:44 +0000 (19:55 +0100)]
tests: Refactor tshark running
Refactor the code to run tshark into its own submodule. This allows
even remembering whether -Y or -R needs to be used for filtering.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Tue, 6 Jan 2015 11:33:32 +0000 (13:33 +0200)]
tests: Out-of-memory cases for D-Bus operations
This increases testing coverage on various error paths.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 8 Jan 2015 23:41:57 +0000 (01:41 +0200)]
tests: Additional D-Bus error path coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Fri, 9 Jan 2015 00:31:23 +0000 (02:31 +0200)]
D-Bus: Use NoMemory error message from CreateInterface
Try to be a bit more consistent by using NoMemory instead of InvalidArgs
if os_strdup() fails in the CreateInterface handler.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 8 Jan 2015 20:39:18 +0000 (22:39 +0200)]
Handle interface disabled/enabled more consistently
It was possible for the interface not to be marked in INTERFACE_DISABLED
state in case the event was processed for P2P GO because the wpa_s
instance could have been removed in case of a separate group interface.
Change the state first to avoid leaving different state for the case
where separate group interface is not used.
Mark scan to be a normal scan on INTERFACE_ENABLED so that scanning
rules (e.g., skip scan if no networks enabled) get used consistently.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 8 Jan 2015 20:13:17 +0000 (22:13 +0200)]
P2P: Indicate reason=UNAVAILABLE for group netdev going down
There is a race condition between receiving an AP stopped event and
netdev down event. These resulted in different group removal reasons on
a GO device (UNAVAILABLE for stop AP event coming first and REQUESTED
for netdev event first). Make this more consistent by reporting
UNAVAILABLE for both possible cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 8 Jan 2015 00:31:11 +0000 (02:31 +0200)]
tests: Add out-of-memory loop tests for hostapd startup
These test cases run hostapd interface setup multiple times with
TEST_ALLOC_FAIL commands triggering memory allocation failures one by
one at each possible location in the setup sequence. Effectively, these
test cases will hit most error paths for memory allocation issue cases
(i.e., only the cases requiring more than one allocation failure in a
sequence are not covered).
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 6 Jan 2015 00:38:26 +0000 (02:38 +0200)]
tests: hostapd BSS addition failures
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 5 Jan 2015 20:00:55 +0000 (22:00 +0200)]
tests: hostapd interface setup and memory allocation failures
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 5 Jan 2015 20:00:22 +0000 (22:00 +0200)]
tests: Memory allocation failure in wpa_supplicant blacklist
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 7 Jan 2015 12:19:30 +0000 (14:19 +0200)]
tests: Convert test skipping to use exception
Instead of returning "skip" from the test function, raise the new
HwsimSkip exception to indicate a test case was skipped.
Signed-off-by: Jouni Malinen <j@w1.fi>
Johannes Berg [Thu, 8 Jan 2015 13:59:16 +0000 (14:59 +0100)]
tests: Use rfkill python module
Instead of calling the rfkill binary, use the built-in module.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Thu, 8 Jan 2015 10:16:33 +0000 (11:16 +0100)]
tests: Add rfkill module
This can be used instead of invoking the rfkill binary.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Jouni Malinen [Thu, 8 Jan 2015 00:29:59 +0000 (02:29 +0200)]
Verify that eloop_register_read_sock() succeeds for ctrl_iface setup
This allows faster detection of a case where a memory allocation fails
within eloop.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 8 Jan 2015 00:22:03 +0000 (02:22 +0200)]
Fix a memory leak on WPA authenticator error path
wpa_auth->group needs to be freed if PMK cache setup fails.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Thu, 8 Jan 2015 00:13:46 +0000 (02:13 +0200)]
Fix hostapd interface addition error path
The local conf pointer needs to be cleared once it gets assigned to
hapd_iface to avoid double-free of the configuration data on error path.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 7 Jan 2015 14:29:19 +0000 (16:29 +0200)]
tests: Make scan_random_mac more robust
There is a race condition between wlantest having received and written
the sniffer log and this test case using tshark to process it. Wait one
second before running tshark to make it less likely to get truncated
results that can result in the test case failing.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 7 Jan 2015 11:41:31 +0000 (13:41 +0200)]
tests: Convert "hwsim-SKIP" exception to use a custom class
This makes the design a bit cleaner for catching the exceptions.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Wed, 7 Jan 2015 11:29:25 +0000 (13:29 +0200)]
tests: Import dbus module in a cleaner way
There is no need to use prepare_dbus() function to check whether the
dbus module can be imported.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Mon, 5 Jan 2015 18:30:28 +0000 (20:30 +0200)]
Add support for testing memory allocation failures
The new control interface command TEST_ALLOC_FAIL and GET_ALLOC_FAIL can
now be used to trigger memory allocation failures for testing purposes.
TEST_ALLOC_FAIL sets a failure conditions with
<count>:func[;func][;func]... string and GET_ALLOC_FAIL returns the
current state using the same format. Whenever an allocation is made with
a matching backtrace of calling functions, the count is decremented by
one and once zero is reached, the allocation is forced to fail.
Function names can be prefixed with either '=' or '?' to get different
matching behavior. '=' requires this specific function to be the next
one in the backtrace (i.e., do not skip any other functions in the list
which is the default behavior). '?' allows the function to be optionally
present in the backtrace.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 6 Jan 2015 21:13:28 +0000 (23:13 +0200)]
D-Bus: Fix interface unregistration on error path
It is possible for this function to get called even if D-Bus
registration had failed, so the path can be NULL here.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 6 Jan 2015 21:07:12 +0000 (23:07 +0200)]
D-Bus (old): Fix interface unregistration on error path
It is possible for this function to be called even if D-Bus interface
registration has failed. Avoid a D-Bus assert in such a case.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen [Tue, 6 Jan 2015 21:01:00 +0000 (23:01 +0200)]
Fix memory leak on wpa_supplicant_init_wpa() error path
If wpa_sm_init() fails, the context data needs to be freed in the
caller.
Signed-off-by: Jouni Malinen <j@w1.fi>