This wpa_drv_if_remove() call was previously modified to fix a different
issue, but that fix resulted in unconditional use of treed memory here
(wpa_supplicant_deinit_iface() frees wpa_s). Make a local copy of
wpa_s->parent to be able to use it after wpa_s is freed. The
mesh_if_created case has wpa_s->parent != wpa_s, so this should be
sufficient way of handling the wpa_drv_if_remove() call here.
Signed-off-by: Jouni Malinen <j@w1.fi>
Use the defines for vht_oper_chwidth values more consistently in
hostapd_set_freq_params() to make this more readable.
Signed-off-by: Jouni Malinen <j@w1.fi>
This commit introduces the vendor command to set the trace level
for the respective QCA host driver module.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The hostapd processing of the AES-SIV AAD was incorrect. The design for
the AAD changed between P802.11ai/D7.0 and D8.0 from a single vector
with concatenated data to separate vectors. The change in the
implementation had missed the change in the aes_siv_decrypt() call for
the num_elem parameter. This happened to work with the mac80211
implementation due to a similar error there.
Fix this by using the correct numbers of vectors in the SIV AAD so that
all the vectors get checked. The last vector was also 14 octets too long
due to incorrect starting pointer, so fix that as well. The changes here
are not backwards compatible, i.e., a similar fix in the Linux mac80211
is needed to make things interoperate again.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
While RFC 5295 uses "8" as the value to use in the length field in KDF
context when deriving EMSKname, it is clearer to use the macro defining
EMSKname as the value since the KDF design in RFC 5295 encodes the
length of the derived data in octets in that part of the context data.
This change is just making the implementation easier to understand while
not actually changing the behavior.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Unlike the EMSKname and rRK derivations, rIK derivation is actually
using the "optional data" component in the context data (see RFC 5295).
RFC 6696 defines that optional data to be the cryptosuite field for rIK.
This was missing from the previous implementation and that resulted in
incorrect rIK being derived.
In addition, the rIK Label string does not actually include the "EAP "
prefix in the way as the rRK Label in RFC 6696 does. This would also
have resulted in incorrect rIK value.
Fix rIK derivation by adding the cryptosuite value into the KDF context
data and fixing the label string. This change is not backwards
compatible and breaks all ERP use cases (including FILS shared key
authentication) with older (broken) and new (fixed)
hostapd/wpa_supplicant builds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new FILS-HLP-RX control interface event is now used to report
received FILS HLP responses from (Re)Association Response frame as a
response to the HLP requests configured with FILS_HLP_REQ_ADD.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new dhcp_server configuration parameter can now be used to configure
hostapd to act as a DHCP relay for DHCPDISCOVER messages received as
FILS HLP requests. The dhcp_rapid_commit_proxy=1 parameter can be used
to configure hostapd to convert 4 message DHCP exchange into a 2 message
exchange in case the DHCP server does not support DHCP rapid commit
option.
The fils_hlp_wait_time parameter can be used to set the time hostapd
waits for an HLP response. This matches the dot11HLPWaitTime in IEEE Std
802.11ai-2016.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This is independent functionality from the core IEEE 802.11 management
handling and will increase significantly in size, so it is cleaner to
maintain this in a separate source code file.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Do not depend on undefined behavior with pointer arithmetic when
checking whether there is sufficient room for an option.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
These can be reused for other purposes than just the DHCP snoofing for
Proxy ARP. In addition, use more complete definition of the parameters
based on the current IANA registry.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Introduce definitions for QCA vendor specific subcommands and attributes
for fetching BSS transition status.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
With device_ap_sme disabled, ACL was checked upon authentication
request. In 802.11ad there is no authentication phase so need to check
ACL upon association.
Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com>
This verifies that the temporary STA entry timeout limit does not end up
breaking comeback_delay tests with values larger than five seconds.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Previously, the temporary STA session timeout was set to 5 seconds. If
gas_comeback_delay is configured to be longer than 5 seconds, GAS
Comeback Response frame can't include queried information as all pending
data has already been cleared due to session timeout. This commit
resolves the issue by setting session timeout to be larger than
gas_comeback_delay.
Signed-off-by: Daniel Kim <kimdan@qca.qualcomm.com>
This test case was triggering false failures with hostapd build that did
not include TEST_* commands.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
This commit introduces QCA vendor commands and the corresponding
attributes to set/get NUD (Network Unreachability Detection) statistics.
The set NUD statistics configures the requisite parameters to the host
driver and thereby triggers the start/stop of collection of statistics.
The get stats fetches the statistics collected in the host driver.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If vendor_scan_cookie is set to 0 after the scan_abort due to the scan
timeout ends in a cookie mismatch when processing the following
QCA_NL80211_VENDOR_SUBCMD_SCAN_DONE indication. This ends up considering
the scan results as being for an external scan and thus the current
ongoing scan is not removed from the radio_work. Hence, do not reset
this vendor_scan_cookie after the scan abort so that the scan completion
event gets processed properly and vendor_scan_cookie gets cleared at
that point.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the keychain holds additional certificates other than the end
certificate, read them into the certificate chain.
Signed-off-by: Paul Stewart <pstew@google.com>
We can only send module specific messages to syslog and not debug
messages printed with wpa_printf. Add an extra command line parameter
'-s' to allow it. The feature is enabled with compile flag
CONFIG_DEBUG_SYSLOG as for wpa_supplicant and behaves in the same manner
as the wpa_supplicant -s command line argument.
Signed-off-by: Wojciech Dubowik <Wojciech.Dubowik@neratec.com>
It was possible to hit this WPA_ASSERT when FST-MANAGER SESSION_REMOVE
command is exececuted when in not-associated state. In
CONFIG_EAPOL_TEST=y builds, this would result in the wpa_supplicant
process being terminated. Convert this WPA_ASSERT to a check that does
not terminate the process, but only rejects the command if wpa_s->bssid
does not match the da argument.
Signed-off-by: Jouni Malinen <j@w1.fi>
Increase the EAPOL RX frame timeout from 100 to 200 ms. This fixes lack
of optimization (i.e., first EAPOL frame dropped) in occasional roaming
and authentication cases on EAP networks if the kernel events can be
reordered and delayed a bit longer.
Signed-off-by: Tomoharu Hatano <tomoharu.hatano@sonymobile.com>
Instead of copying the struct wpa_auth_callbacks, just keep a pointer to
it, keep the context pointer separate, and let the user just provide a
static const structure. This reduces the attack surface of heap
overwrites, since the function pointers move elsewhere.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If the VHT capability override vht_disabled=1 is used in the network
profile, skip VHT configuration of the local channel.
Signed-off-by: Jouni Malinen <j@w1.fi>
The remote mesh STA which had configuration disable_ht40=1 could have HT
Capabilities element which includes Supported Channel Width Set = 1
(both 20 MHz and 40 MHz operation is supported) even though it had HT
Operation element which includes STA Channel Width = 0 (20 MHz channel
width only). Previously, local peer recognized such a remote peer as 40
MHz band width enabled STA because local peer only checked HT
Capabilities element. This could cause disconnection between
disable_ht40=1 mesh STA and disable_ht40=0 mesh STA. They could
establish a mesh BSS but could not ping with ath9k_htc device. This
commit fixes the issue by refering HT Operation element.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This functionality can be used outside wpa_set_disable_ht40(), so move
the generic part to a helper function.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
This is a regression test case for SIGSEGV in
wpa_supplicant_remove_iface() if the main interface is removed while a
separate mesh interface is in use.
Signed-off-by: Jouni Malinen <j@w1.fi>
The flush_scan_cache() operations in the finally part of these test
cases ended up getting called when the mesh group was still operating.
This could result in unexpected behavior due to offchannel scan being
performed before the device becomes idle. Clean this up by explicitly
removing the mesh group before cleaning up.
Signed-off-by: Jouni Malinen <j@w1.fi>
This kernel debugging option adds multiple seconds of extra latency to
interface removal operations. While this can be worked around by
increasing timeouts in number of test cases, there does not seem to be
any clean way of working around this for PMKSA cacheching test with
per-STA VIFs (e.g., pmksa_cache_preauth_vlan_used_per_sta_vif).
To avoid unnecessary test failures, remove CONFIG_DEBUG_KOBJECT_RELEASE
from the default config. If someone wants to test with this kernel debug
option, it can be enabled for custom kernel builds while understanding
that it can result in false failure reports and significantly extended
time needed to complete full testing run.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the kernel is built with CONFIG_DEBUG_KOBJECT_RELEASE=y, the cleanup
steps were taking so long that these test cases could fail.
Fix this by increasing the timeout to avoid reporting failures.
Signed-off-by: Jouni Malinen <j@w1.fi>
This adds parsing of received FILS HLP requests from (Re)Association
Request frames. The reassembled requests are verified to be in valid
format and are printed in debug output. However, actual processing or
forwarding of the packets is not yet implemented, i.e., the vendor
specific frame filtering logic is for now practically dropping all HLP
requests.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
The new wpa_supplicant control interface commands FILS_HLP_REQ_FLUSH and
FILS_HLP_REQ_ADD can now be used to request FILS HLP requests to be
added to the (Re)Association Request frame whenever FILS authentication
is used.
FILS_HLP_REQ_ADD parameters use the following format:
<destination MAC address> <hexdump of payload starting from ethertype>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
If the kernel is built with CONFIG_DEBUG_KOBJECT_RELEASE=y, the hostapd
termination event for the wlan3 interface may be delayed beyond the
previous five second timeout. This could result in the test case failing
and the following test case failing as well due to the separate hostapd
process being still in the process of cleaning up.
Fix this by increasing the timeout to avoid forcing test termination in
such cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
This is useful for now since the IPv6 support for proxyarp is not yet
included in the upstream kernel. This allows the IPv4 test cases to pass
with the current upstream kernel while allowing the IPv6 test cases to
report SKIP instead of FAIL.
Signed-off-by: Jouni Malinen <j@w1.fi>
This describes example steps on how to get the VM testing setup with
parallel VMs configured with Ubuntu Server 16.04.1.
Signed-off-by: Jouni Malinen <j@w1.fi>