str_token() can return NULL for the name if the remaining token contains
only the delimiter. Fix this to avoid NULL pointer dereference with a
corner case of an invalid value used in the configuration.
Fixes: ec5c39a557 ("AP: Allow identifying which passphrase station used with wpa_psk_file")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This seems to be needed when using python3 in VM for the ssid_utf8 test
case debug prints from the control interface requests. This breaks
python2 support for the same logging entries, but there does not seem to
be any easy way of addressing this in a manner that works for both
python versions, so move ahead with the python3-only support from now
on.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The new sae_password parameter [|vlanid=<VLAN ID>] can now be used to
assign stations to a specific VLAN based on which SAE Password
Identifier they use. This is similar to the WPA2-Enterprise case where
the RADIUS server can assign stations to different VLANs and the
WPA2-Personal case where vlanid parameter in wpa_psk_file is used.
Signed-off-by: Jouni Malinen <j@w1.fi>
This test case was failing pretty frequently due to an issue in being
able to send out the Provision Discovery Response frame on the operating
channel. Now that wpa_supplicant has a fix for that issue, modify this
test case to hit this error condition every time. In addition, make sure
the possible exception from p2ps_exact_seek() does not get hidden with a
failing remove_group() call in the finally section.
Signed-off-by: Jouni Malinen <j@w1.fi>
This speeds up P2P responses to frames received on an operating channel
in case there is an ongoing P2P listen operation on another channel.
This is applicable to drivers that support multiple channels in
concurrently.
This addresses an issue showing up in the
p2ps_channel_active_go_and_station_different_mcc test case where the
Provision Discovery Request frame can be received on the operating
channel of a group instead of the Listen channel. The response was
delayed until the listen operation timed out and this took too long time
for the peer to receive the response.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow user space applications to check whether wlan firmware is alive
through an nl80211 vendor command.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This adds a wifi_generation=4/5/6 line to the STATUS output if the
driver reports (Re)Association Request frame and (Re)Association
Response frame information elements in the association or connection
event. Only the generations 4 (HT = 802.11n), 5 (VHT = 802.11ac), and 6
(HE = 802.11ax) are reported.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Process NL80211_ATTR_REQ_IE from the NL80211_CMD_ASSOCIATE event to
allow request IEs to be made available for the SME-in-wpa_supplicant
case similarly to how this is done with SME-in-driver with
NL80211_CMD_CONNECT.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Once mac80211 starts reporting the used Association Request frame IEs in
the association event, wpa_supplicant will update RSN supplicant IE
information based on that and that will make the AP reject EAPOL-Key msg
2/4 in this particular test scenario due to the hack of including two
RSN IEs in the Association Request frame. Accept this sequence as a
valid test execution in addition to the previously expected connection
to avoid reporting incorrect failures.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Extend wpa_psk_file to allow an optional VLAN ID to be specified with
"vlanid=<VLAN ID>" prefix on the line. If VLAN ID is specified and the
particular wpa_psk_file entry is used for a station, that station is
bound to the specified VLAN. This can be used to operate a single
WPA2-Personal BSS with multiple VLANs based on the used passphrase/PSK.
This is similar to the WPA2-Enterprise case where the RADIUS server can
assign stations to different VLANs.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When filtering is successfully disabled at the end of the terms and
conditions acceptance sequence, add the "X-WFA-Hotspot20-Filtering:
remove" header line to the HTTP response.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
When I replaced the POS() function with ffs() when applying relevant
parts from the original patch, this ended up breaking the frame
construction since the POS() function was supposed to count the bit
offset for the mask with 0 being the LSB instead of 1 returned by ffs().
Furthermore, ffs() is not available in all C libraries (e.g., not
directly exposed by strings.h on Android), so better not depend on that
or compiler builtins for this since there is no need for this to be as
fast as possible in configuration parsing.
Fix this with a simple function to determine the number of bits the
value needs to be shifted left to align with the mask.
Fixes: 11ce7a1bc3 ("HE: Add MU EDCA Parameter Set element (AP)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the ap_handle_timer() timeout is reached for a not-associated STA, do
not default to disassociating that STA first since Disassociation frame
is not really appropriate to send to a STA that is not in associated
state. Instead, skip directly to deauthentication and STA entry removal.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The flags variable needs to be initialized to 0 if check_crl is 0 in
the updated configuration.
Fixes: 159a7fbdea ("crl_reload_interval: Add CRL reloading support")
Signed-off-by: Jouni Malinen <j@w1.fi>
The change is bigger because here we need to catch the error
condition if the last element doesn't fit.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Rather than always iterating elements from frames with pure
u8 pointers, add a type "struct element" that encapsulates
the id/datalen/data format of them.
Then, add the element iteration macros
* for_each_element
* for_each_element_id
* for_each_element_extid
which take, as their first 'argument', such a structure and
iterate through a given u8 array interpreting it as elements.
While at it also add
* for_each_subelement
* for_each_subelement_id
* for_each_subelement_extid
which instead of taking data/length just take an outer element
and use its data/datalen.
Also add for_each_element_completed() to determine if any of
the loops above completed, i.e., it was able to parse all of
the elements successfully and no data remained.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
This allows unexpected cases to terminate parallel-vm.py without being
hidden by the exception handler.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
Some of the WNM implementation expects configuration to be available
(e.g., ieee802_!1_rx_wnm_coloc_intf_req() dereferences wpa_s->conf), so
add a dummy configuration to allow the fuzzer tool to be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add test-eapol program that can be used for fuzzing the EAPOL-Key
Supplicant and Authenticator implementations. This tool can write
Supplicant or Authenticator messages into a file as an initialization
step and for the fuzzing step, that file (with potential modifications)
can be used to replace the internally generated message contents.
The TEST_FUZZ=y build parameter is used to make a special build where a
hardcoded random number generator and hardcoded timestamp are used to
force deterministic behavior for the EAPOL-Key operations. This will
also make the implementation ignore Key MIC and AES keywrap errors to
allow processing of modified messages to continue further.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to schedule the postponed RSN preauthentication start
if there are no candidates. Avoid wasting eloop resources for this.
This is most useful for fuzz testing of the 4-way handshake
implementation to avoid getting stuck waiting for this unnecessary one
second time when using eloop to coordinate the Authenticator and
Supplicant state machines.
Signed-off-by: Jouni Malinen <j@w1.fi>
If none of the supported name attributes are present, the name string
was nul terminated only at the end. Add an explicit nul termination at
the end of the last written (or beginning of the buffer, if nothing is
written) to avoid writing uninitialized data to debug log.
Signed-off-by: Jouni Malinen <j@w1.fi>
Explicitly check the remaining buffer length before trying to read the
ASN.1 header values. Attempt to parse an ASN.1 header when there was not
enough buffer room for it would have started by reading one or two
octets beyond the end of the buffer before reporting invalid data at the
following explicit check for buffer room.
Signed-off-by: Jouni Malinen <j@w1.fi>
tlsv1_record_receive() did not return error here and as such, &alert was
not set and must not be used. Report internal error instead to avoid use
of uninitialized memory.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add test-tls program that can be used for fuzzing the internal TLS
client and server implementations. This tool can write client or server
messages into a file as an initialization step and for the fuzzing step,
that file (with potential modifications) can be used to replace the
internally generated message contents.
The TEST_FUZZ=y build parameter is used to make a special build where a
hardcoded random number generator and hardcoded timestamp are used to
force deterministic behavior for the TLS operations.
Signed-off-by: Jouni Malinen <j@w1.fi>
conn->cred might be NULL here, so check for that explicitly before
checking whether conn->cred->cert_probe is set. This fixes a potential
NULL pointer dereference when going through peer certificates with
event_cb functionality enabled.
Signed-off-by: Jouni Malinen <j@w1.fi>
Jouni Malinen