Replace the hardcoded /tmp filenames for generated ACL and BSS
configuration files with proper temporary files from tempfile.mkstemp()
to avoid conflicts with existing files or with parallel uses. Remove ACL
files from the local directory at the end of each test case. BSS files
are currently left behind, but can be cleaned up separately if needed
for non-VM testing (VM testing has those on ramdrive so they get dropped
automatically at the end) and for remote devices.
Signed-off-by: Jouni Malinen <j@w1.fi>
When this test case is ran in remote test environment, there could be
additional APs in scan results after bssid_filter has been disabled.
That breaks the check on SCAN_RESULTS output. Extend this to cover the
remote testing case by using bssid_filter with both known APs listed
instead of full wildcard.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Instead of hardcoded bss-[1-6]*.conf files, generate them using the
correct BSSID for each AP device and send/install them on the remote
client as well if needed.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
The cookie values for UDP control interface commands was defined as a
static global array. This did not allow multi-BSS test cases to be
executed with UDP control interface. For example, after
hapd1 = hostapd.add_bss(apdev[0], ifname1, 'bss-1.conf')
hapd2 = hostapd.add_bss(apdev[0], ifname2, 'bss-2.conf')
hapd1->ping() did not work.
Move those cookie values to per-instance location in struct
hapd_interfaces and struct hostapd_data to fix this.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Generate ACL files instead of using files with hardcoded values for the
STA MAC addresses. Send the generated files also to the remote client if
required.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Some hostapd test cases use configuration files, e.g., ACLs in BSS
configuration. When executing remote tests (udp), we have to first send
these configuration files to the appropriate remote device. The new
send_file() helper can be used for that.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
There does not seem to be a good reason for using the different IFACE=
prefix on the UDP control interface. This got added when the UDP
interface in wpa_supplicant was extended in commit f0e5d3b5c6
("wpa_supplicant: Share attach/detach/send UDP ctrl_iface functions")
and that was then extended to hostapd in commit e920805685 ("hostapd:
Extend global control interface notifications").
Replace the IFACE= prefix in UDP case with IFNAME= to be consistent with
the UNIX domain socket based control interface.
This fixes a problem when at least one test case fail (hapd_ctrl_sta)
when remote/udp used. This also fixes test_connectivity().
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
We could have different ifconfig output formats on the remote devices,
so make the parser more flexible to handle such cases.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
This allows more test cases to be run in remote setup. Previously, we
used to block all test cases that required more than two arguments
(i.e., that needed the params argument).
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
In case the hwsim wrapper is used in remote tests, show also which
device will be used as
apdev - hostapd
dev - wpa_supplicant
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Kill hostapd and wpa_supplicant based on the configuration parameters.
Previously, we could have killed wrong processes.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.
To allow affected users to mitigate the issues, add a new configuration
option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys with fast
reconnects.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
Rekeying a pairwise key using only keyid 0 (PTK0 rekey) has many broken
implementations and should be avoided when using or interacting with
one. The effects can be triggered by either end of the connection and
range from hardly noticeable disconnects over long connection freezes up
to leaking clear text MPDUs.
To allow affected users to mitigate the issues, add a new hostapd
configuration option "wpa_deny_ptk0_rekey" to replace all PTK0 rekeys
with disconnection. This requires the station to reassociate to get
connected again and as such, can result in connectivity issues as well.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
The CAN_REPLACE_PTK0 flag provided by nl80211 can be used to detect if
the card/driver is explicitly indicating capability to rekey STA PTK
keys using only keyid 0 correctly.
Check if the card/driver supports it and make the status available as a
driver flag.
Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
The MBO PMF check for AP SME in the driver case was added into a
location that is skipped for WPS processing. That was not really the
correct place for this since the skip_wpa_check label was supposed to
remain immediately following the WPA checks. While this does not really
have much of a practical impact, move the check around so that the
skip_wpa_check label remains where it is supposed to be.
Fixes: 4c572281ed ("MBO: Mandate use of PMF for WPA2+MBO association (AP)")
Signed-off-by: Jouni Malinen <j@w1.fi>
Save RM enabled capability element of an associating station when
hostapd use the device AP SME similarly to how this information is saved
with SME-on-hostapd cases. This allows radio measurement operations
(e.g., REQ_BEACON) to be used.
Signed-off-by: Ouden <Ouden.Biz@gmail.com>
Pick the most recently added BSS entry based on BSSID matching to avoid
issues in testing environment where the SSID of the AP may have changed
and both the old and new BSS is still present in the scan results.
Signed-off-by: Jouni Malinen <j@w1.fi>
This element is not used in Beacon or Probe Response frames (which is
the reason why the standard does not indicate where exactly it would be
in those frames..); HT Operation element has this information and so
does Extended CSA element.
In practice, this reverts the functionality added in commit 76aab0305c
("Add secondary channel IE for CSA").
Signed-off-by: Jouni Malinen <j@w1.fi>
Hardcoded CONFIG_IEEE80211N to be included to clean up implementation.
More or less all new devices support IEEE 802.11n (HT) and there is not
much need for being able to remove that functionality from the build.
Included this unconditionally to get rid of one more build options and
to keep things simpler.
Signed-off-by: Jouni Malinen <j@w1.fi>
Split the IEs from WPA authenticator state machine into separately added
IEs so that the exact location between these and other elements can be
controlled. This fixes the location of MDE and RSNXE in Beacon and Probe
Response frames. In addition, this swaps the order of BSS Load and RM
Enabled Capabilities elements in Beacon frames to get them into the
correct order (which was already used for Probe Response frames).
Furthermore, this fixes the buffer end checks for couple of elements to
make the implementation more consistent (though, in practice, there is
no impact from this since the old size limit was smaller than needed,
but still sufficiently large to have room for these).
Signed-off-by: Jouni Malinen <j@w1.fi>
Fetch the BIGTK from EAPOL-Key msg 3/4 and use it to validate MME in
Beacon frames when the AP uses Beacon protection.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a new wpa_supplicant network profile configuration parameter
beacon_prot=<0/1> to allow Beacon protection to be enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a new hostapd configuration parameter beacon_prot=<0/1> to allow
Beacon protection to be enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
nla_nest_start() might fail, so need to check its return value similarly
to all the other callers.
Fixes: a84bf44388 ("HE: Send the AP's OBSS PD settings to the kernel")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Do not use VERSION_STR directly as the format string to printf() since
it is possible for that string to contain '%'.
Signed-off-by: Didier Raboud <odyx@debian.org>
Previously only couple of AKM suite selectors were converted into
NL80211_ATTR_AKM_SUITES. Add rest of the AKM suites here. However, since
the current kernel interface has a very small limit
(NL80211_MAX_NR_AKM_SUITES = 2), add the attribute only when no more
than that limit entries are included. cfg80211 would reject the command
with any more entries listed.
This needs to be extended in cfg80211/nl80211 in a backwards compatible
manner, so this seems to be the best that can be done for now in user
space. Many drivers do not use this attribute, so must not reject the
configuration completely when larger number of AKM suites is configured.
Such cases may not work properly with drivers that depend on
NL80211_ATTR_AKM_SUITES value.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed to work around a missing attribute that would cause
cfg80211 to reject some nl80211 commands (e.g.,
NL80211_ATTR_VENDOR_DATA) with new kernel versions that enforce netlink
attribute policy validation.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use a single block each for webkit and webkit2 signal handlers. This
cleans up browser.c to have clear sections for each webkit API version.
Signed-off-by: Jouni Malinen <j@w1.fi>