Commit graph

14482 commits

Author SHA1 Message Date
Jouni Malinen
7c6acc757b macsec_linux: More detailed debug logs for driver interaction
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-24 21:12:18 +02:00
Jouni Malinen
e7b141906b tests: Do not override connectivity test address if no driver info
Not all driver interfaces provide driver status information with the
local address, so skip the override step if the field is not available.
This is needed, e.g., with macsec_linux.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-24 20:31:47 +02:00
Jouni Malinen
5759bd36aa WPS: Fix wps_validate_credential() argument type
Newer gcc complained about the mismatching len[] argument type. Silence
that by using the correct type.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-24 11:12:53 +02:00
Jouni Malinen
e422a819d0 Check snprintf result to avoid compiler warnings
These do not really get truncated in practice, but it looks like some
newer compilers warn about the prints, so silence those by checking the
result and do something a bit more useful if the output would actually
get truncated.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-24 11:09:22 +02:00
Damodaran, Rohit (Contractor)
ee98dd631a Readme for DPP
Addi a readme file for users for on-boarding devices with Device
Provisioning Protocol (DPP).

Signed-off-by: Rohit Damodaran <Rohit_Damodaran@comcast.com>
2018-12-23 17:25:11 +02:00
Jouni Malinen
345d8b5e91 tests: AP mode and D-Bus StationAdded/StationRemoved signals
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-23 17:25:11 +02:00
Andrej Shadura
c3f23ad6c7 dbus: Expose connected stations on D-Bus
Make it possible to list connected stations in AP mode over D-Bus, along
with some of their properties: rx/tx packets, bytes, capabilities, etc.

Signed-off-by: Mathieu Trudel-Lapierre <mathieu.trudel-lapierre@canonical.com>

Rebased by Julian Andres Klode <juliank@ubuntu.com> and updated to use
the new getter API.

Further modified by Andrej Shadura to not error out when not in AP mode
and to send separate StationAdded/StationRemoved signals instead of
changing signatures of existing StaAuthorized/StaDeauthorized signals.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2018-12-23 17:25:11 +02:00
Andrej Shadura
f5f4c11aa1 dbus: Use dbus_bool_t, not int for boolean function arguments
Properties argument specifies whether to add object's properties
or not, hence it doesn't need to be int.

Signed-off-by: Andrej Shadura <andrew.shadura@collabora.co.uk>
2018-12-23 17:25:11 +02:00
Johannes Berg
7afbbcd2ed tests: Validate that AP doesn't reflect station frames
Add a new test to check that the AP won't send frames to the client if
it tries to talk to itself.

Note that this fails until the relevant mac80211 patch is merged.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2018-12-23 17:25:11 +02:00
Jouni Malinen
95cd50a1ed tests: Fix AP wait in ap_require_ht and ap_require_ht_limited_rates
These test cases seemed to have copy-paste errors where
wait_enabled=False was forgotten even though there was no additional
steps checking the AP mode startup results. This did not break the
tests, but could have resulted in slowing them down if the STAs did not
find the AP in the first scan.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-23 17:25:11 +02:00
Jouni Malinen
15b7cc5199 tests: HT STBC overrides
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-23 17:25:11 +02:00
Sergey Matyukevich
721d8558bc tests: Allow overriding HT STBC capabilities
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2018-12-23 17:25:11 +02:00
Sergey Matyukevich
cdeea70f59 wpa_supplicant: Allow overriding HT STBC capabilities
Allow user to override STBC configuration for Rx and Tx spatial streams.
Add new configuration options to test for HT capability overrides.

Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
2018-12-23 17:25:11 +02:00
Jouni Malinen
43d174b8e2 tests: Automatic channel selection, HT scan, and DFS
Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-23 17:25:11 +02:00
Jouni Malinen
b586054f95 tests: Work around cfg80211 reg.c intersection (country 98) issues
The Linux kernel commit 113f3aaa81bd ("cfg80211: Prevent regulatory
restore during STA disconnect in concurrent interfaces") broke the
regulatory clearing attempt in many test cases since
cfg80211_is_all_idle() is now returning false due to the AP interface
being up and that results in the Country IE -based regulatory
information not getting cleared back to defaults.

Work around this by stopping the AP interface first so that when the
station interface receives the disconnection, there are no other active
interfaces in the system. In addition, wait for REGDOM event for the
Country IE hint after association to avoid disconnection before the
regulatory events have been fully processed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-23 17:25:11 +02:00
Jouni Malinen
99bc57d0d1 tests: Fix mbo_supp_oper_classes after cfg80211 change
The Linux kernel commit 113f3aaa81bd ("cfg80211: Prevent regulatory
restore during STA disconnect in concurrent interfaces") broke the
regulatory clearing attempt in this test case since
cfg80211_is_all_idle() is now returning false due to the AP interface
being up and that results in the Country IE -based regulatory
information not getting cleared back to defaults.

Work around this by stopping the AP interface first so that when the
station interface receives the disconnection, there are no other active
interfaces in the system. In addition, wait for REGDOM event for the
Country IE hint after association to avoid disconnection before the
regulatory events have been fully processed.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-22 16:13:14 +02:00
Jouni Malinen
2cef6f6e89 tests: Enable dynamic debug from cfg80211/mac80211
These debug logs were lost due to CONFIG_DYNAMIC_DEBUG=y.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-22 00:18:33 +02:00
Jouni Malinen
0fb292c08e Add SAE to GET_CAPABILITY key_mgmt
Provide information about SAE AKM support in "GET_CAPABILITY key_mgmt"
for completeness. The "GET_CAPABILITY auth_alg" case is already
providing information about SAE support through user space SME.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-21 21:49:02 +02:00
Veerendranath Jakkam
8ec7c99ee4 nl80211: Fetch supported AKM list from the driver
Try to fetch the list of supported AKM suite selectors from the driver
through the vendor interface
QCA_NL80211_VENDOR_SUBCMD_GET_SUPPORTED_AKMS. If that command is
available and succeeds, use the returned list to populate the
wpa_driver_capa key_mgmt information instead of assuming all
cfg80211-based drivers support all AKMs. If the driver does not support
this command, the previous behavior is maintained.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-21 21:49:02 +02:00
Veerendranath Jakkam
dbe7f6da77 Vendor command to query the supported AKMs from the driver
This new QCA vendor command is used to query the supported AKM suite
selectors from the driver. There has been no such capability indication
from the driver and thus the current user space has to assume the driver
to support all the AKMs. This may be the case with some drivers (e.g.,
mac80211-based ones) but there are cfg80211-based drivers that implement
SME and have constraints on which AKMs can be supported (e.g., such
drivers may need an update to support SAE AKM using
NL80211_CMD_EXTERNAL_AUTH). Allow such drivers to specify the exact set
of supported AKMs so that user space tools can determine what network
profile options should be allowed to be configured. This command returns
the list of supported AKM suite selectors in the attribute
NL80211_ATTR_AKM_SUITES.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-21 21:09:48 +02:00
Jouni Malinen
5bcddb9302 DPP: Fix build with LibreSSL 2.8.3
Looks like LibreSSL 2.8 pulled in the OpenSSL API change to mark the
first argument to X509_ALGOR_get0() const.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-21 12:21:03 +02:00
Andrey Utkin
837e36583a Fix build with LibreSSL
When using LibreSSL instead of OpenSSL, linkage of hostapd executable
fails with the following error when using some LibreSSL versions

    ../src/crypto/tls_openssl.o: In function `tls_verify_cb':
    tls_openssl.c:(.text+0x1273): undefined reference to `ASN1_STRING_get0_data'
    ../src/crypto/tls_openssl.o: In function `tls_connection_peer_serial_num':
    tls_openssl.c:(.text+0x3023): undefined reference to `ASN1_STRING_get0_data'
    collect2: error: ld returned 1 exit status
    make: *** [Makefile:1278: hostapd] Error 1

ASN1_STRING_get0_data is present in recent OpenSSL, but absent in some
versions of LibreSSL (confirmed for version 2.6.5), so fallback needs to
be defined in this case, just like for old OpenSSL.

This patch was inspired by similar patches to other projects, such as
spice-gtk, pjsip.

Link: https://bugs.gentoo.org/672834
Signed-off-by: Andrey Utkin <andrey_utkin@gentoo.org>
2018-12-21 12:09:11 +02:00
Jouni Malinen
afd38c9fdc tests: hostapd.vlan with bridge ifname
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-21 12:02:57 +02:00
Felix Fietkau
4d663233e6 hostapd: Support for overriding the bridge name per VLAN via vlan_file
This makes it easier to integrate dynamic VLANs in custom network
configurations. The bridge name is added after the interface name in the
vlan_file line, also separated by whitespace.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2018-12-21 12:02:57 +02:00
Prasad, Jagadeesh (Contractor)
d2b5138116 DPP: Add self configuration command in hostapd_cli and wpa_cli
The back-end support for DPP self configuration was already present in
hostapd and wpa_supplicant. However, the command to invoke DPP self
configuration was not available in hostapd_cli and wpa_cli. Add the
command "dpp_configurator_sign" in them.

Signed-off-by: Prasad, Jagadeesh <Jagadeesh_Prasad@comcast.com>
2018-12-21 12:02:57 +02:00
Jouni Malinen
9552a7364f tests: DPP_CONFIGURATOR_SIGN without double space
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-21 12:02:57 +02:00
Jouni Malinen
53d5de6f1d DPP: Accept DPP_CONFIGURATION_SIGN without double space before parameters
Make this command more convenient to use by not requiring two space
characters between the command and the first parameter.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-21 12:02:57 +02:00
Johannes Berg
5b82cdbe8b nl80211: Add support for starting FTM responder
Add support for starting FTM responder when in AP mode. This just sends
the appropriate NEW/SET_BEACON command to the driver with the LCI/civic
location data.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2018-12-21 11:22:35 +02:00
Andrei Otcheretianski
d2c4d1ee11 AP: Configure FTM responder parameters
Enable FTM responder and configure LCI and civic if ftm_responder
configuration option is set. Since ftm_responder configuration existed
before and was used to set extended capability bits, don't fail AP setup
flow if ftm_responder is set, but the driver doesn't advertise FTM
responder support.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2018-12-21 11:19:25 +02:00
Andrei Otcheretianski
4cb618cf2d driver: Add FTM responder configuration APIs
Add configuration options to enable FTM responder and configure LCI and
civic parameters. In addition, introduce WPA_DRIVER_FLAGS_FTM_RESPONDER
flag, which can be used to indicate FTM responder support in AP mode.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2018-12-21 11:18:00 +02:00
Jouni Malinen
6a24adee9c Sync with mac80211-next.git include/uapi/linux/nl80211.h
This brings in nl80211 definitions as of 2018-12-15.

Signed-off-by: Jouni Malinen <j@w1.fi>
2018-12-21 11:12:39 +02:00
Jouni Malinen
3a259f073a tests: Be more careful in clearing REGDOM state
cfg80211 regulatory code gets into pretty inconvenient state if it needs
to intersect regulatory domain information from multiple regulations
(country=98). The existing mechanisms in the hwsim test cases are not
able to clear that up for the following test case and this can result in
large number of failures.

It looks like country=98 case is hit frequently in WNM test cases where
a station associates with an AP that advertises a specific country code
and that station is then asked to disconnect before the REGDOM events
have been received. Avoid this by waiting for the REGDOM events for the
init=COUNTRY_IE case before disconnecting.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-21 00:55:31 +02:00
Jouni Malinen
432c0972ad tests: Connect attempt with transmitting/nontransmitting BSS
This adds some minimal testing for Multi-BSS connection attempts. The
part for nontransmitted BSS is limited since hostapd/mac80211 does not
yet have sufficient support for Multi-BSS in AP mode.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-20 21:44:33 +02:00
Peng Xu
8d176ae689 tests: Additional Multiple BSSID IE parsing tests
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-20 21:41:40 +02:00
Jouni Malinen
586826d4f5 tests: Multiple BSSID element in scan results
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-20 21:41:34 +02:00
Jouni Malinen
2a93ecc8ca Expose Multi-BSS STA capability through wpa_supplicant control interface
Indicate whether the driver advertises support for Multi-BSS STA
functionality with "GET_CAPABILITY multibss" (returns "MULTIBSS-STA" if
supported).

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-20 21:30:43 +02:00
Jouni Malinen
7488e0ade6 tests: Multi-AP association
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2018-12-20 12:43:43 +02:00
Venkateswara Naralasetty
5abc7823bd wpa_supplicant: Add Multi-AP backhaul STA support
Advertise vendor specific Multi-AP IE in (Re)Association Request frames
and process Multi-AP IE from (Re)Association Response frames if the user
enables Multi-AP fuctionality. If the (Re)Association Response frame
does not contain the Multi-AP IE, disassociate.

This adds a new configuration parameter 'multi_ap_backhaul_sta' to
enable/disable Multi-AP functionality.

Enable 4-address mode after association (if the Association Response
frame contains the Multi-AP IE). Also enable the bridge in that case.
This is necessary because wpa_supplicant only enables the bridge in
wpa_drv_if_add(), which only gets called when an interface is added
through the control interface, not when it is configured from the
command line.

Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2018-12-20 12:10:31 +02:00
Venkateswara Naralasetty
9c06f0f6ae hostapd: Add Multi-AP protocol support
The purpose of Multi-AP specification is to enable inter-operability
across Wi-Fi access points (APs) from different vendors.

This patch introduces one new configuration parameter 'multi_ap' to
enable Multi-AP functionality and to configure the BSS as a backhaul
and/or fronthaul BSS.

Advertise vendor specific Multi-AP capabilities in (Re)Association
Response frame, if Multi-AP functionality is enabled through the
configuration parameter.

A backhaul AP must support receiving both 3addr and 4addr frames from a
backhaul STA, so create a VLAN for it just like is done for WDS, i.e.,
by calling hostapd_set_wds_sta(). Since Multi-AP requires WPA2 (never
WEP), we can safely call hostapd_set_wds_encryption() as well and we can
reuse the entire WDS condition.

To parse the Multi-AP Extension subelement, we use get_ie(): even though
that function is meant for parsing IEs, it works for subelements.

Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2018-12-20 01:04:14 +02:00
Mathy Vanhoef
3006241e43 tests: OCI validation in WNM-Sleep Exit frames (OCV)
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
fa97981265 OCV: Include and verify OCI in WNM-Sleep Exit frames
Include and verify the OCI element in WNM-Sleep Exit Request and
Response frames. In case verification fails, the frame is silently
ignored.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
0059625b77 tests: OCI validation in the AMPE handshake (OCV)
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
034388ac9c OCV: Include and verify OCI in the AMPE handshake
Include and verify the OCI element in AMPE Open and Confirm frames. Note
that the OCI element is included even if the other STA didn't advertise
support of OCV. The OCI element is only required and verified if both
peers support OCV.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
716ed96e8d OCV: Pass ocv parameter to mesh configuration
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
a187bf0161 tests: OCI validation in the FILS handshake (OCV)
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
99621dc16c OCV: Include and verify OCI in the FILS handshake
Include and verify the OCI element in FILS (Re)Association Request and
Response frames.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
870906d5cc tests: OCI validation in SA Query frames (OCV)
Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
5c7d35ba07 Add UNPROT_DEAUTH command for testing OCV
This new wpa_supplicant control interface command can be used to
simplify testing SA Query with OCV.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
f91e68e903 OCV: Perform an SA Query after a channel switch
After the network changed to a new channel, perform an SA Query with the
AP after a random delay if OCV was negotiated for the association. This
is used to confirm that we are still operating on the real operating
channel of the network. This commit is adding only the station side
functionality for this, i.e., the AP behavior is not changed to
disconnect stations with OCV that do not go through SA Query.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:50:12 +02:00
Mathy Vanhoef
f9da7505bf OCV: Include and verify OCI in SA Query frames
Include an OCI element in SA Query Request and Response frames if OCV
has been negotiated.

On Linux, a kernel patch is needed to let clients correctly handle SA
Query Requests that contain an OCI element. Without this patch, the
kernel will reply to the SA Query Request itself, without verifying the
included OCI. Additionally, the SA Query Response sent by the kernel
will not include an OCI element. The correct operation of the AP does
not require a kernel patch.

Without the corresponding kernel patch, SA Query Requests sent by the
client are still valid, meaning they do include an OCI element.
Note that an AP does not require any kernel patches. In other words, SA
Query frames sent and received by the AP are properly handled, even
without a kernel patch.

As a result, the kernel patch is only required to make the client properly
process and respond to a SA Query Request from the AP. Without this
patch, the client will send a SA Query Response without an OCI element,
causing the AP to silently ignore the response and eventually disconnect
the client from the network if OCV has been negotiated to be used.

Signed-off-by: Mathy Vanhoef <Mathy.Vanhoef@cs.kuleuven.be>
2018-12-17 15:42:23 +02:00