Commit graph

15768 commits

Author SHA1 Message Date
Alexander Wetzel
0e05e8781a Simplify wpa_deny_ptk0_rekey documentation
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 23:59:58 +02:00
Alexander Wetzel
a5944db04a Add wpa_deny_ptk0_rekey to AP get_config() output
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 23:58:19 +02:00
Alexander Wetzel
8a1660b607 common: Add missing driver flag strings
Add SAFE_PTK0_REKEYS and some other missing strings.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 23:53:29 +02:00
Jouni Malinen
af9d8c758d tests: Use proper temp files for dynamically created config
Replace the hardcoded /tmp filenames for generated ACL and BSS
configuration files with proper temporary files from tempfile.mkstemp()
to avoid conflicts with existing files or with parallel uses. Remove ACL
files from the local directory at the end of each test case. BSS files
are currently left behind, but can be cleaned up separately if needed
for non-VM testing (VM testing has those on ramdrive so they get dropped
automatically at the end) and for remote devices.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 18:20:50 +02:00
Jouni Malinen
6998ef48c8 tests: Remove unused BSS configuration files
These are now generated dynamically.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 17:52:56 +02:00
Jouni Malinen
92f08a3ccd tests: Generate BSS config files in ap_bss_add_remove_during_ht_scan
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 17:52:53 +02:00
Jouni Malinen
a066644fcb tests: Generate BSS configuration files in ap_bss_add_out_of_memory
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 17:50:44 +02:00
Jouni Malinen
791acc676c tests: Generate BSS configuration files in ap_bss_config_file
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 17:50:44 +02:00
Jouni Malinen
387d96f7c5 tests: remove: Fix a typo in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-23 17:50:44 +02:00
Janusz Dziedzic
bdff1be152 tests: Extend wpas_ctrl_bssid_filter for remote testing
When this test case is ran in remote test environment, there could be
additional APs in scan results after bssid_filter has been disabled.
That breaks the check on SCAN_RESULTS output. Extend this to cover the
remote testing case by using bssid_filter with both known APs listed
instead of full wildcard.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 17:50:44 +02:00
Janusz Dziedzic
e206c93f31 tests: Fix multi_check() for remote testing
Don't use hardcoded BSSID; instead use the real BSSID from the device.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 17:50:44 +02:00
Janusz Dziedzic
ba1ff57ad2 tests: remote: Generate and send BSS configuration files
Instead of hardcoded bss-[1-6]*.conf files, generate them using the
correct BSSID for each AP device and send/install them on the remote
client as well if needed.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 17:50:44 +02:00
Janusz Dziedzic
4b04223f24 hostapd: Replace UDP ctrl_iface global cookies with per-instance ones
The cookie values for UDP control interface commands was defined as a
static global array. This did not allow multi-BSS test cases to be
executed with UDP control interface. For example, after
    hapd1 = hostapd.add_bss(apdev[0], ifname1, 'bss-1.conf')
    hapd2 = hostapd.add_bss(apdev[0], ifname2, 'bss-2.conf')

hapd1->ping() did not work.

Move those cookie values to per-instance location in struct
hapd_interfaces and struct hostapd_data to fix this.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 17:48:34 +02:00
Janusz Dziedzic
4d14838421 tests: Generate ACL files
Generate ACL files instead of using files with hardcoded values for the
STA MAC addresses. Send the generated files also to the remote client if
required.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 16:38:23 +02:00
Janusz Dziedzic
16f18b2ca7 tests: remotehost: Add send_file()
Some hostapd test cases use configuration files, e.g., ACLs in BSS
configuration. When executing remote tests (udp), we have to first send
these configuration files to the appropriate remote device. The new
send_file() helper can be used for that.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 15:48:46 +02:00
Janusz Dziedzic
12fb9698ab Use IFNAME= prefix for global UDP control interface events
There does not seem to be a good reason for using the different IFACE=
prefix on the UDP control interface. This got added when the UDP
interface in wpa_supplicant was extended in commit f0e5d3b5c6
("wpa_supplicant: Share attach/detach/send UDP ctrl_iface functions")
and that was then extended to hostapd in commit e920805685 ("hostapd:
Extend global control interface notifications").

Replace the IFACE= prefix in UDP case with IFNAME= to be consistent with
the UNIX domain socket based control interface.

This fixes a problem when at least one test case fail (hapd_ctrl_sta)
when remote/udp used. This also fixes test_connectivity().

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 15:40:58 +02:00
Janusz Dziedzic
7a934fe72a tests: remote: Handle different ifconfig output formats
We could have different ifconfig output formats on the remote devices,
so make the parser more flexible to handle such cases.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 15:34:06 +02:00
Janusz Dziedzic
f8b26af741 tests: remote: Allow hwsim test cases with more than two arguments
This allows more test cases to be run in remote setup. Previously, we
used to block all test cases that required more than two arguments
(i.e., that needed the params argument).

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 15:21:22 +02:00
Janusz Dziedzic
876785aeba tests: remote: Show dev/apdev for hwsim
In case the hwsim wrapper is used in remote tests, show also which
device will be used as
apdev - hostapd
dev - wpa_supplicant

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 15:18:49 +02:00
Janusz Dziedzic
0de85869a8 tests: remote: Kill correct hostapd/wpa_supplicant process
Kill hostapd and wpa_supplicant based on the configuration parameters.
Previously, we could have killed wrong processes.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 15:13:47 +02:00
Janusz Dziedzic
ec5de19549 tests: remote: Switch to python3
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2020-02-23 15:13:11 +02:00
Alexander Wetzel
293631f177 IBSS RSN: Coding style cleanup
Use consistent style for pointers.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 13:12:28 +02:00
Alexander Wetzel
5742d12d4a tests: Allow PTK0 rekey for tests
Verify PTK0 rekey blocking is working as intended.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 13:11:02 +02:00
Alexander Wetzel
1f90a49d02 STA: Allow PTK rekeying without Ext KeyID to be disabled as a workaround
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.

To allow affected users to mitigate the issues, add a new configuration
option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast
reconnects.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 13:05:19 +02:00
Alexander Wetzel
1a7963e36f AP: Allow PTK rekeying without Ext KeyID to be disabled as a workaround
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.

To allow affected users to mitigate the issues, add a new hostapd
configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys
with disconnection. This requires the station to reassociate to get
connected again and as such, can result in connectivity issues as well.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 12:22:49 +02:00
Alexander Wetzel
35da7c20ac nl80211: Add driver capability flag for CAN_REPLACE_PTK0
The CAN_REPLACE_PTK0 flag provided by nl80211 can be used to detect if
the card/driver is explicitly indicating capability to rekey STA PTK
keys using only keyid 0 correctly.

Check if the card/driver supports it and make the status available as a
driver flag.

Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
2020-02-23 12:00:23 +02:00
Jouni Malinen
7b26238d46 Do not skip MBO PMF check with the WPS special case WPA check exception
The MBO PMF check for AP SME in the driver case was added into a
location that is skipped for WPS processing. That was not really the
correct place for this since the skip_wpa_check label was supposed to
remain immediately following the WPA checks. While this does not really
have much of a practical impact, move the check around so that the
skip_wpa_check label remains where it is supposed to be.

Fixes: 4c572281ed ("MBO: Mandate use of PMF for WPA2+MBO association (AP)")
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Ouden
fae7e64aa3 Save RM enabled capability of station with AP SME
Save RM enabled capability element of an associating station when
hostapd use the device AP SME similarly to how this information is saved
with SME-on-hostapd cases. This allows radio measurement operations
(e.g., REQ_BEACON) to be used.

Signed-off-by: Ouden <Ouden.Biz@gmail.com>
2020-02-22 19:20:44 +02:00
Jouni Malinen
e9ac44fcbc Make INTERWORKING_CONNECT more reliable in testing environment
Pick the most recently added BSS entry based on BSSID matching to avoid
issues in testing environment where the SSID of the AP may have changed
and both the old and new BSS is still present in the scan results.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
1074d42416 Fix a typo in a comment
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
8fe7ec6640 Remove Secondary Channel Offset element from Beacon/Probe Response frames
This element is not used in Beacon or Probe Response frames (which is
the reason why the standard does not indicate where exactly it would be
in those frames..); HT Operation element has this information and so
does Extended CSA element.

In practice, this reverts the functionality added in commit 76aab0305c
("Add secondary channel IE for CSA").

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
7f1529d2a5 Fix HE element order in Beacon and Probe Response frames
Spatial Reuse Parameter Set element is before MU EDCA Parameter Set
element.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
f3bcd69603 Remove CONFIG_IEEE80211N build option
Hardcoded CONFIG_IEEE80211N to be included to clean up implementation.
More or less all new devices support IEEE 802.11n (HT) and there is not
much need for being able to remove that functionality from the build.
Included this unconditionally to get rid of one more build options and
to keep things simpler.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
640d59942b Fix location of MDE and RSNXE in Beacon and Probe Response frames
Split the IEs from WPA authenticator state machine into separately added
IEs so that the exact location between these and other elements can be
controlled. This fixes the location of MDE and RSNXE in Beacon and Probe
Response frames. In addition, this swaps the order of BSS Load and RM
Enabled Capabilities elements in Beacon frames to get them into the
correct order (which was already used for Probe Response frames).
Furthermore, this fixes the buffer end checks for couple of elements to
make the implementation more consistent (though, in practice, there is
no impact from this since the old size limit was smaller than needed,
but still sufficiently large to have room for these).

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-22 19:20:44 +02:00
Jouni Malinen
f65da0ca4b tests: Beacon protection
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-21 19:41:36 +02:00
Jouni Malinen
faf6894f35 wlantest: BIGTK fetching and Beacon protection validation
Fetch the BIGTK from EAPOL-Key msg 3/4 and use it to validate MME in
Beacon frames when the AP uses Beacon protection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-21 19:41:36 +02:00
Jouni Malinen
2d4c78aef7 Configure received BIGTK on station/supplicant side
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-18 00:18:47 +02:00
Jouni Malinen
ecbf59e693 wpa_supplicant configuration for Beacon protection
Add a new wpa_supplicant network profile configuration parameter
beacon_prot=<0/1> to allow Beacon protection to be enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-18 00:18:47 +02:00
Jouni Malinen
16889aff40 Add BIGTK KDE and subelement similarly to IGTK
This provides the BIGTK updates to associated stations similarly to
IGTK.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
555dcd75ce Generate BIGTK and rekey it with IGTK
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
323d06187a Parsing of BIGTK KDE in EAPOL-Key frames
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
3937378abe Parsing of BIGTK subelement in FTE
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
d2e77310dc driver: Document use of set_key() for BIGTK
Also update the comment to match the current IGTK KeyID range.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
c1df321b6c AP mode indication of Beacon protection being enabled
Add the new Extended Capability bit for indicating Beacon protection.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
92d407dbd6 hostapd configuration for Beacon protection
Add a new hostapd configuration parameter beacon_prot=<0/1> to allow
Beacon protection to be enabled.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
cb86e8bac8 nl80211: Remove an extra closing parenthesis from a debug message
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 23:48:24 +02:00
Jouni Malinen
46cb046500 nl80211: Check nla_nest_start() result for NL80211_ATTR_HE_OBSS_PD
nla_nest_start() might fail, so need to check its return value similarly
to all the other callers.

Fixes: a84bf44388 ("HE: Send the AP's OBSS PD settings to the kernel")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 19:30:47 +02:00
John Crispin
0b0ee0f15e HE: Propagate BSS color settings to nl80211
Add the code required to send the BSS color settings to the kernel.

Signed-off-by: John Crispin <john@phrozen.org>
2020-02-17 19:28:39 +02:00
Didier Raboud
8155b36fae Fix VERSION_STR printf() calls in case the postfix strings include %
Do not use VERSION_STR directly as the format string to printf() since
it is possible for that string to contain '%'.

Signed-off-by: Didier Raboud <odyx@debian.org>
2020-02-17 19:17:10 +02:00
Jouni Malinen
dd74ddd0df nl80211: Handle AKM suite selectors for AP configuration
Previously only couple of AKM suite selectors were converted into
NL80211_ATTR_AKM_SUITES. Add rest of the AKM suites here. However, since
the current kernel interface has a very small limit
(NL80211_MAX_NR_AKM_SUITES = 2), add the attribute only when no more
than that limit entries are included. cfg80211 would reject the command
with any more entries listed.

This needs to be extended in cfg80211/nl80211 in a backwards compatible
manner, so this seems to be the best that can be done for now in user
space. Many drivers do not use this attribute, so must not reject the
configuration completely when larger number of AKM suites is configured.
Such cases may not work properly with drivers that depend on
NL80211_ATTR_AKM_SUITES value.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
2020-02-17 17:47:34 +02:00