Commit Graph

8174 Commits

Author SHA1 Message Date
Jouni Malinen
5ac73acf12 Simplify eapol_sm_get_mib() result handling
This function cannot return negative value, so no need to check for
that. If there is not enough room in the buffer or if something
unexpected happens, 0 is returned.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-13 19:15:38 +02:00
Jouni Malinen
70d29ec946 tests: Extend RRM neighbor request testing
This uses a new testing mode in hostapd to allow RRM neighbor request
transmittion to be tested. For the second part of the test case to be
executed, mac80211_hwsim needs to be modified to claim support for the
required RRM capabilities (that change is not yet in Linux kernel).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 21:09:32 +02:00
Jouni Malinen
a0a34d536e nl80211: Add rrm_flags to STATUS-DRIVER
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 21:09:11 +02:00
Jouni Malinen
0629eeb490 RRM: Add AP mode minimal advertisement support for testing
The new hostapd.conf radio_measurements parameter can now be used to
configure a test build to advertise support for radio measurements with
neighbor report enabled. There is no real functionality that would
actually process the request, i.e., this only for the purpose of minimal
STA side testing for now.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 20:45:31 +02:00
Jouni Malinen
357edd386f tests: Additional VENDOR_ELEM coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 20:12:24 +02:00
Jouni Malinen
d655bbc797 tests: DATA_TEST_* error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 19:33:54 +02:00
Jouni Malinen
b854d3c85d tests: EAPOL_RX failure cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 19:16:34 +02:00
Jouni Malinen
f157078c13 tests: DRIVER_EVENT failure case
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 19:08:24 +02:00
Jouni Malinen
3d9848967a tests: Additional MGMT_TX coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 19:05:00 +02:00
Jouni Malinen
cbdfff0a73 tests: A single BSS with multiple key management options
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-12 14:05:43 +02:00
Jouni Malinen
774d414513 Fix AP IE in EAPOL-Key 3/4 for WPA + FT combination
Previously, only WPA + WPA2 was covered. If FT is enabled in addition to
WPA, MDIE is included in the buffer between RSN and WPA elements. The
previous version ended up leaving only the MDIE after having skipped RSN
element. Fix this to skip MDIE as well to leave only WPA IE regardless
of whether FT is enabled in AP configuration.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-12 14:03:36 +02:00
Jouni Malinen
72c5c289fb Add text names for number of the key_mgmt values
This completes STATUS command key_mgmt output for the missing values,
like SAE.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-12 13:40:07 +02:00
Jouni Malinen
9446f3c253 tests: SCAN error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 01:13:35 +02:00
Jouni Malinen
43a66ecba3 Fix SCAN control interface command error cases
Update the scan parameters in wpa_s only in case the scan command is
going to be executed. In other words, do not change the parameters for
an ongoing scan (the SCAN command is rejected with FAIL-BUSY) or if any
of the parameters is invalid.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 01:12:15 +02:00
Jouni Malinen
530b519f78 tests: RADIO_WORK error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 00:27:06 +02:00
Jouni Malinen
9c1be553c8 tests: Invalid VENDOR command
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-12 00:10:52 +02:00
Jouni Malinen
c2bf6d3afc tests: SIGNAL_POLL in 160 and 80+80 MHz channels
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 23:37:02 +02:00
Jouni Malinen
f8423317b3 tests: WNM_SLEEP error cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 23:03:10 +02:00
Jouni Malinen
08ba008c62 tests: AUTOSCAN reconfiguration while in SCANNING state
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 22:57:36 +02:00
Jouni Malinen
44c41cdf47 tests: Additional HS20_ICON_REQUEST coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 16:14:24 +02:00
Jouni Malinen
ea215c54d0 tests: Additional coverage for HS20_GET_NAI_HOME_REALM_LIST
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 16:12:59 +02:00
Jouni Malinen
2961bfa8e1 Remove unused send_eapol() driver op
The send_eapol() callback was used by driver_test.c, but with that
removed, there is no remaining users of the alternative EAPOL frame
transmitting mechanism in wpa_supplicant, i.e., all remaining driver
interfaces use l2_packet instead. Remove the send_eapol() to get rid of
unused code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:40:07 +02:00
Jouni Malinen
5e80b502ee tests: Additiona GAS_REQUEST/GAS_RESPONSE_GET coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:18:11 +02:00
Jouni Malinen
1ca6d13dac tests: Make wep_open_auth less likely to fail due to old scan entry
Flush cfg80211 cached scan results to avoid getting any non-WEP matches
for the BSS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-11 15:18:11 +02:00
Jouni Malinen
ea68ed56b9 tests: Additional ANQP_GET and HS20_ANQP_GET error coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:18:11 +02:00
Jouni Malinen
b68d602dc4 Fix ANQP_GET/HS20_GET_ANQP parsing to skip space after address
The space following the BSSID was not skipped properly if the following
parameter started with the "hs20:" prefix. For other cases, atoi() ended
up ignoring the space, but it is cleaner to skip it anyway for all
cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:18:11 +02:00
Jouni Malinen
7e71fbc169 tests: INTERWORKING_CONNECT with invalid parameter
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:18:11 +02:00
Jouni Malinen
c62438b822 tests: Optimize p2p_persistent test cases
Number of unnecessary scan iterations can removed from these test cases
by specifying a single channel.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:18:11 +02:00
Jouni Malinen
c93b6706d2 tests: Additional P2P_REMOVE_CLIENT coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:18:11 +02:00
Jouni Malinen
7387532549 tests: Additional coverage for P2P_EXT_LISTEN
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:18:11 +02:00
Jouni Malinen
bf1b59731a tests: Additional P2P_PRESENCE_REQ coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:18:11 +02:00
Jouni Malinen
d9f3bb1ad6 tests: ProxyARP ARP processing
This verifies processing of various ARP messages at an AP that enables
ProxyARP. All the validation steps have not yet been scripted, i.e., the
sniffer traces need manual analysis for full coverage.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-11 15:18:11 +02:00
Jouni Malinen
1872c52b8e tests: Additional P2P_SET coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:18:11 +02:00
Jouni Malinen
25057d9227 tests: P2P cross connection
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-11 15:18:11 +02:00
Jouni Malinen
42a697256e P2P: Allow cross connection on the parent interface
Previously, any P2P capable interface was skipped in cross connection
uplink consideration. However, this ends up skipping more or less all
nl80211-based driver cases now since they mark the main interface P2P
capable. Relax this rule to allow the parent interface to be used as the
non-P2P station interface for cross connection purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-10 01:54:27 +02:00
Jouni Malinen
7b7b201785 tests: Additional P2P_PEER coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-10 00:46:11 +02:00
Jouni Malinen
6a31a31da1 OpenSSL: Simplify EAP-FAST peer workaround
Commit d4913c585e ('OpenSSL: Fix EAP-FAST
peer regression') introduced a workaround to use a new SSL_CTX instance
set for TLSv1_method() when using EAP-FAST. While that works, it is
unnecessarily complex since there is not really a need to use a separate
SSL_CTX to be able to do that. Instead, simply use SSL_set_ssl_method()
to update the ssl_method for the SSL instance. In practice, this commit
reverts most of the tls_openssl.c changes from that earlier commit and
adds that single call into tls_connection_set_params() based on EAP-FAST
flag.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 23:55:41 +02:00
Jouni Malinen
2fc4749c91 tests: Verify that EAP-FAST PAC and TLS session ticket was used
This provides a regression test that would have caught the recent
issue with tls_openssl.c change breaking EAP-FAST.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 23:47:47 +02:00
Jouni Malinen
b90d064f1a Add tls_session_reused=<0/1> into EAP peer TLS status
This can be used to determine whether the last TLS-based EAP
authentication instance re-used a previous session (e.g., TLS session
resumption or EAP-FAST session ticket).

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 23:41:09 +02:00
Jouni Malinen
bccbd51a80 tests: Additional P2P_GROUP_ADD coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 23:03:27 +02:00
Chet Lanctot
15badebd47 nl80211: Add QCA vendor specific query of device/driver features
This commit introduces a QCA vendor command that allows interrogation of
the vendor-specific features supported by the device/driver. Currently
the only defined feature is the ability to offload key management.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-09 21:08:21 +02:00
Jouni Malinen
d4913c585e OpenSSL: Fix EAP-FAST peer regression
Commit 35efa2479f ('OpenSSL: Allow TLS
v1.1 and v1.2 to be negotiated by default') changed from using
TLSv1_method() to SSLv23_method() to allow negotiation of TLS v1.0,
v1.1, and v1.2.

Unfortunately, it looks like EAP-FAST does not work with this due to
OpenSSL not allowing ClientHello extensions to be configured with
SSL_set_session_ticket_ext() when SSLv23_method() is used. Work around
this regression by initiating a separate SSL_CTX instance for EAP-FAST
phase 1 needs with TLSv1_method() while leaving all other EAP cases
using TLS to work with the new default that allows v1.1 and v1.2 to be
negotiated. This is not ideal and will hopefully get fixed in the future
with a new OpenSSL method, but until that time, this can be used allow
other methods use newer TLS versions while still allowing EAP-FAST to be
used even if it remains to be constraint to TLS v1.0 only.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 16:57:05 +02:00
Jouni Malinen
471debb0b3 Fix OpenSSL 0.9.8za patch for EAP-FAST support
OpenSSL 0.9.8za added a fix for CVE-2014-0224 and the original fix broke
EAP-FAST support due to forgotten SSL3_FLAGS_CCS_OK marking for
tls_session_secret_cb. Fix for this regression was added into OpenSSL
1.x and newer. The same fix is needed in this backport patch for
0.9.8za.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 16:57:05 +02:00
Jouni Malinen
c1f5bcb96f TLS: Add new cipher suites to tls_get_cipher()
This fixes EAP-FAST server side issues for anonymous provisioning when
using the internal TLS implementation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 16:57:05 +02:00
Jouni Malinen
c25addb156 OpenSSL: Remove support for the old EAP-FAST interface
Commit f5fa824e9a ('Update OpenSSL 0.9.8
patch for EAP-FAST support') changed the OpenSSL 0.9.8 patch to support
the new API that was introduced in OpenSSL 1.0.0 for EAP-FAST. As such,
there should be no valid users of the old API anymore and tls_openssl.c
can be cleaned up to use only the new API.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 16:57:05 +02:00
Xiaofei Shen
f68e86a4d6 MACsec: Update protect frames and replay on reauthentication
Some cases like ifconfig down/up may require MACsec restart. To make
sure the appropriate protect frames and replay parameters get configured
in cases where the interface was down, set these parameters from KaY
configuration to the driver before creating a new transmit SC. This
allows MACsec functionality to recover automatically on such restart.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-09 16:56:10 +02:00
Jouni Malinen
1ede3d2268 tests: Invitation Request retry and duplicated response
This verifies that the corner case of a duplicated, retransmitted
Invitation Response frame ends up being dropped instead of being
processed twice for the case of Invitation Request getting resend with
social channel as an operating channel in case of no common channels
found.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-09 16:26:54 +02:00
Sunil Dutt
36b5c3335a P2P: Check Invitation Response dialog token match for resend case
Commit ac330cfd87 ('P2P: Reinvite with
social operation channel if no common channels') introduced a mechamisn
to reinvite a peer during a persistent group reinvocation from a GO with
a different operating channel proposal. This mechanism can fail if the
inviting device (GO) ends up getting a retransmitted, duplicated
Invitation Response frame processed second time while waiting for the
response to the retried Invitation Request (using one of the social
channels as the operating channel). IEEE 802.11 duplicate frame
detection mechanisms are supposed to prevent this type of sequence, but
not all drivers support those rules properly for pre-association frames,
including P2P Public Action frames.

Work around this issue by checking that the dialog token in the
Invitation Response frame matches the one from the last Invitation
Request if the special invitation retry mechanism is used. This is safer
to do now than to enable dialog token matching for all invitation cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-12-09 16:26:47 +02:00
Jouni Malinen
1f90dfd2cd nl80211: Add frame control and sequence control field in RX frame debug
This makes it easier to debug issues related to duplicated management
frames on receive path.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-09 01:19:20 +02:00
Jouni Malinen
c703a1da70 tests: Additional P2P SD coverage
This adds P2P_SERV_DISC_REQ, P2P_SERVICE_ADD, and P2P_SERVICE_DEL error
cases and P2P_SERVICE_FLUSH and P2P_SERC_DISC_EXTERNAL testing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-12-08 21:23:24 +02:00