Commit graph

9488 commits

Author SHA1 Message Date
Jouni Malinen
8b6b6d8238 Fix hostapd.conf description of HT40+
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-21 20:04:01 +02:00
Jouni Malinen
20ff2642e1 WPS: Clear WPS data on init failure
It was possible for hapd->wps_beacon_ie and hapd->wps_probe_resp_ie to
be set if WPS initialization in hostapd failed after having set these
parameters (e.g., during UPnP configuration). In addition, many of the
other WPS configuration parameters that were allocated during the first
part of the initialization were not properly freed on error paths.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-21 13:23:23 +02:00
Jouni Malinen
d2a4005b3b tests: Verify Pre-authentication EAPOL status
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-21 12:56:48 +02:00
Jouni Malinen
910f16ca0e tests: EAP-SIM/AKA with protected result indication
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-21 12:56:48 +02:00
Jouni Malinen
f19e370e15 WPS: Do not advertise WPA/WPA2-Enterprise Auth Type Flags
While the device itself may support WPA/WPA2-Enterprise, enrollment of
credentials for EAP authentication is not supported through WPS. As
such, there is no need to claim support for these capabilities within
WPS information.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-20 15:13:48 +02:00
Jouni Malinen
c37b02fcc4 tests: Authentication server using PKCS#12 file
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-20 00:16:00 +02:00
Jouni Malinen
2a6a2192b7 tests: Invalid ca_cert hash:// value
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-20 00:02:00 +02:00
Jouni Malinen
c61dca40a4 tests: TLS domain_suffix_match rejection due to incomplete label match
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-19 23:50:57 +02:00
Jouni Malinen
5c65e277a0 tests: Increase altsubject_match coverage
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-19 23:46:53 +02:00
Jouni Malinen
1b5df9e591 nl80211: Do not indicate scan started event on scan_for_auth
The scan_for_auth workaround for cfg80211 missing a BSS entry for the
target BSS during authentication uses a single channel scan controlled
within driver_nl80211.c. This operation does not indicate
EVENT_SCAN_RESULTS to the upper layer code. However, it did report
EVENT_SCAN_STARTED and this resulted in the radio work protection code
assuming that an external program triggered a scan, but that scan never
completed. This resulted in all new radio work items getting stuck
waiting for this scan to complete.

Fix this by handling the scan_for_auth situation consistently within
driver_nl80211.c by filtering both the EVENT_SCAN_STARTED and
EVENT_SCAN_RESULTS.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 22:48:44 +02:00
Jouni Malinen
bb2382619a HS 2.0R2: Clean up debug log during exit path
deinit_ctx() may print debug information, so do not call
wpa_debug_close_file() before deinit_ctx().

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 00:40:04 +02:00
Jouni Malinen
48408fce2f HS 2.0R2: Do not mandate OCSP response for EST operations
OCSP validation is required only for the OSU operations and since the
EST server may use a different server certificate, it may not
necessarily support OCSP.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 00:39:58 +02:00
Jouni Malinen
8f60293d3f HS 2.0R2: Do not use OSU cert validation for EST
There is no requirement for the EST server to use an OSU server
certificate, so do not require friendly name and icon hash matches for
EST cases.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 00:39:49 +02:00
Jouni Malinen
40bdceac88 HS 2.0R2: Configure OSU client trust root more consistently
Some of the code paths could have ended up ignoring CA file name from
command line due to overly complex way of setting ctx->ca_fname.
Configure this more consistently in osu_client.c as soon as the CA file
name has been determined.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 00:39:39 +02:00
Jouni Malinen
4d65deda7f HS 2.0R2: Clean up debug from libcurl
Do not truncate CURLINFO entries on first linefeed to get full IN/OUT
headers and data into debug log. Use wpa_hexdump_ascii() if any
non-displayable characters are included. Remove the separate header/data
debug dumps since all that information is now available from the debug
callback.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-18 00:39:35 +02:00
Jouni Malinen
f4e3860f8a Fix AP mode default TXOP Limit values for AC_VI and AC_VO
These were previous set to 3.0 and 1.5 ms which ended up using values 93
and 46 in 36 usec inits. However, the default values for these are
actually defined as 3.008 ms and 1.504 ms (94/47) and those values are
also listed in the hostapd.conf example.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-17 18:48:40 +02:00
Jouni Malinen
47bd94a09f TLS testing: Add new test cases for RSA-DHE primes
test-tls-4: Short 511-bit RSA-DHE prime
test-tls-5: Short 767-bit RSA-DHE prime
test-tls-6: Bogus RSA-DHE "prime" 15
test-tls-7: Very short 58-bit RSA-DHE prime in a long container
test-tls-8: Non-prime as RSA-DHE prime

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 12:43:49 +02:00
Jouni Malinen
f5bbb2f284 TLS client: Reject RSA-DHE prime if it shorter than 768 bits
Such short primes cannot really be considered secure enough for
authentication purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 12:43:37 +02:00
Jouni Malinen
817742f5aa TLS testing: Fix test_flags check for ApplData report
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 10:59:17 +02:00
Jouni Malinen
44bb91066b tests: wpa_supplicant MIB command
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 00:18:03 +02:00
Jouni Malinen
fb5c8cea95 tests: Supplicant-enforced PTK rekey
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 00:13:23 +02:00
Jouni Malinen
77b4a71180 tests: TDLS discovery
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-16 00:03:07 +02:00
Jouni Malinen
6ea231e6d4 tests: EAP TLS parameters using configuration blobs
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 23:52:43 +02:00
Jouni Malinen
1120e45232 Allow config blobs to be set through ctrl_iface
"SET blob <name> <hexdump>" can now be used to set a configuration blob
through the wpa_supplicant control interface.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 23:51:37 +02:00
Michal Kazior
c3722e1241 ACS: Fix VHT20
The center segment0 calculation for VHT20 ACS was incorrect. This caused
ACS to fail with: "Could not set channel for kernel driver".

Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
2014-03-15 19:04:31 +02:00
Jouni Malinen
c1cec68b93 tests: WPS AP PIN unlocking
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
4b727c5c26 tests: WPS AP configuration using external settings management
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
e8518757c9 tests: WPS PIN request file
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
7af87019ec tests: More HT40 co-ex scan cases
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
49b74430d9 Fix HT40 co-ex scan for some pri/sec channel switches
Secondary channel was compared incorrectly (-4/4 vs. actual channel
number) which broke matching neighboring 40 MHz BSSes and only the
no-beacons-on-secondary-channel rule was applied in practice. Once
sec_chan was fixed, this triggered another issue in this function where
both rules to switch pri/sec channels could end up getting applied in a
way that effectively canceled the switch.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
018ead4218 tests: VLAN with tagged interface
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
a424259a9b tests: AP using inactivity poll/disconnect
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
e59aa78240 tests: Go to listen state in go_neg_pin_authorized
Previusly, the responding device was left in p2p_find state as a
consequence of using discover_peer() if the peer was not already known.
This was not the sequence that was supposed to be used here. Go to
listen-only state when waiting for the peer to initiate a previously
authorized GO Negotiation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
55c11d40da tests: RSN pre-authentication
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
8a9a3b34dd tests: WDS STA mode
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 19:04:31 +02:00
Jouni Malinen
5bdac4abce Remove unused STA entry information
previous_ap and last_assoc_req were not really used for anything
meaninful, so get rid of them to reduce the size of per-STA memory
allocation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 09:57:10 +02:00
Jouni Malinen
d05ff96012 tests: SAE mixed network and forced anti-clogging
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 09:38:30 +02:00
Jouni Malinen
06eaa23341 tests: PeerKey attempt with unknown peer
Signed-off-by: Jouni Malinen <j@w1.fi>
2014-03-15 00:47:06 +02:00
Jouni Malinen
c9d9ee94e5 Fix hostapd_add_iface error path to deinit partially initialized BSS
It was possible for the control interface and some of the BSS setup to
be left partially initialized in failure cases while the BSS structures
were still freed. Fix this by properly cleaning up anything that may
have passed initialization successfully before freeing memory.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-14 21:58:46 +02:00
Jouni Malinen
6829da39e6 Fix external radio_work deinit path
The radio_work type was stored within the dynamically allocated
wpa_radio_work buffer and that buffer ended up getting freed before the
final use of the type string within radio_work_done(). This resulted in
freed memory being used for a debug print. Avoid this by freeing the
wpa_external_work instance after having completed radio_work_done() for
the related work.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-14 21:58:46 +02:00
Jouni Malinen
8dd9f9cdde Allow management group cipher to be configured
This allows hostapd to set a different management group cipher than the
previously hardcoded default BIP (AES-128-CMAC). The new configuration
file parameter group_mgmt_cipher can be set to BIP-GMAC-128,
BIP-GMAC-256, or BIP-CMAC-256 to select one of the ciphers defined in
IEEE Std 802.11ac-2013.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-14 21:58:45 +02:00
Manish Bansal
67d39cfb32 P2P: Do not create another group interface on NFC Token enable
If a group interface is present and the command was issued on the group
interface, enable the token for that interface instead of creating a new
one.

Signed-off-by: Manish <manish.bansal@broadcom.com>
2014-03-14 21:58:45 +02:00
Paul Stewart
6aa1cd4e06 wpa_supplicant: Apply VHT_OVERRIDES to wpas_start_assoc_cb()
A previous patch "Support VHT capability overrides" missed one
place where HT overrides were being applied and where it would
also be useful to apply VHT overrides.

Signed-hostap: Paul Stewart <pstew@chromium.org>
2014-03-14 21:50:58 +02:00
Paul Stewart
db63757dbc hostapd: Supply default parameters for OBSS scan
For some client OBSS implementations that are performed in
firmware, all OBSS parameters need to be set to valid values.
Do this, as well as supplying the "20/40 Coex Mgmt Support"
flag in the extended capabilities IE.

Signed-hostap: Paul Stewart <pstew@chromium.org>
2014-03-14 21:49:08 +02:00
Dmitry Shmidt
6e9375e4e1 TDLS: Add get_capability tdls command
Command returns info in format: UNSUPPORTED/INTERNAL/EXTERNAL

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2014-03-14 21:40:57 +02:00
Johannes Berg
ea7526bfb3 tests: Verify VHT20 with center freq seq0 set to zero
This was found through a mac80211 bug which didn't correctly accept a
center segment 0 value of zero, so the test will fail until the mac80211
bug is fixed.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-03-14 17:07:18 +02:00
Johannes Berg
67e1a402df hostapd: For VHT 20/40, allow center segment 0 to be zero
The 802.11ac amendment specifies that that the center segment 0 field
is reserved, so it should be zero. Hostapd previously required it to
be set, which is likely a good idea for interoperability, but allow it
to be unset. However, don't allow it to be set to a random value, only
allow zero and the correct channel.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2014-03-14 17:07:17 +02:00
Jouni Malinen
656a3ef276 tests: Static MAC ACL
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-13 23:27:11 +02:00
Jouni Malinen
a4292b3f3b tests: require_vht=1
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-13 23:17:04 +02:00
Jouni Malinen
d627e1315e tests: Use disable_dgaf=1 for more coverage
This runs one of the HS 2.0 test cases with DGAF disabled.

Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
2014-03-13 23:14:08 +02:00