Commit graph

16747 commits

Author SHA1 Message Date
Jouni Malinen
41f72d7356 Use sel_est consistently with cur_sel in wpa_supplicant_need_to_roam()
This makes the code a bit easier to read.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 17:37:58 +02:00
Matthew Wang
a2c1bebd43 Improve roaming logic
Currently, wpa_supplicant may roam too aggressively; the need_to_roam()
function will return early with a roaming decision if the difference in
signal level or throughput between the current and selected APs is
"sufficiently large." In particular, if the selected AP's estimated
throughput is more than 5k greater than the current AP's estimated
throughput, wpa_supplicant will decide to roam. Otherwise, if the
selected AP's signal level is less than the current AP's signal level,
or the selected AP's estimated throughput is at least 5k less than the
current AP's estimated throughput, wpa_supplicant will skip the roam.
These decisions are based only on one factor and can lead to poor
roaming choices (e.g., a roam should not happen if the selected AP's
estimated throughput meets the threshold but the current signal and
throughput are already good, whereas a roam should happen if the signal
is slightly worse but the estimated throughput is significantly better).

This change standardizes the roaming heuristic for signal strength
difference requirements and will hopefully improve user experience. The
change can be summarized as follows: based on the current signal level,
a certain roaming difficulty is assigned. Based on the selected AP's
estimated throughput relative to the current AP's estimated throughput,
the difficulty is adjusted up or down. If the difference in signal level
meets the threshold, a roam happens.

The hard-coded values were selected purely based on the previous version
of this function. They may eventually need to be fine-tuned for optimal
performance.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2020-01-01 17:33:51 +02:00
Jouni Malinen
9c8d550b77 Allow roam to lower signal level if throughput benefit is significant
Do not prevent roam to a different BSS based only on the signal level
with the current BSS being higher than with the selected BSS. If the
estimated throughput is significantly higher (> 20%), allow roaming if
the following conditions are met.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 17:09:18 +02:00
Jouni Malinen
9fafefb9e5 Skip roaming based on signal level difference if current SNR is good
If the current SNR with the associated BSS is sufficiently good (better
than GREAT_SNR = 25), there is limited benefit from moving to another
BSS even if that BSS were to have a higher signal level. As such, skip
roaming based on the signal level difference between the selected BSS
from scan results and the current BSS for such cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 16:56:40 +02:00
Jouni Malinen
cc7f85ca72 tests: Make ap_wps_conf_pin_* more robust
Explicitly clear cfg80211 scan cache to avoid issues with old BSS
entries from previous test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 16:41:33 +02:00
Jouni Malinen
f4f7600adf Use signal_poll noise information for roaming, if available
Using average signal strength from the driver and hardcoded noise floor
does not look like an ideal design since there can be significant
differences in the driver-reported noise floor values. Furthermore, even
though the current noise floor is a snapshot from the driver, it is
common for drivers to use a noise floor value from a longer calibration
step and that should not prevent the driver provided value from being
used. This makes the comparisons of the signal strengths between the
current AP (signal_poll) and other APs (scan) more accurate.

As an example, test runs in home environment showed 5 dB difference
between the driver reported noise floor and the hardcoded value and this
could result in significant differences in estimated throughput
calculation.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 13:38:11 +02:00
Jouni Malinen
f97baef254 Clear SME auth_alg on FLUSH
This avoids a testing failure in the following test case sequence:
ap_ft_r1_key_expiration ap_open_external_assoc

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 12:33:57 +02:00
Jouni Malinen
568950c6e7 RSN: Do not add PMKSA candidates unnecessarily
Add PMKSA candidates from scan results only if they advertise an AKMP
that is used with RSN pre-authentication. Previously, candidates were
added but then ignored later if the AKMP was not suitable.

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 12:26:24 +02:00
Jouni Malinen
0d1d1f0d21 Clear last Michael MIC error timer on FLUSH
TKIP countermeasures were already terminated on FLUSH, but the timer for
detecting two Michael MIC errors within 60 seconds was left behind. This
resulted in test case failures with following test sequence:
ap_cipher_tkip_countermeasures_sta ap_cipher_tkip_countermeasures_sta2

Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 12:23:25 +02:00
Jouni Malinen
19d4a5de11 tests: Fix a missing parentheses in an error message
Signed-off-by: Jouni Malinen <j@w1.fi>
2020-01-01 12:23:25 +02:00
Jouni Malinen
be5dda94e5 tests: Make rrm_beacon_req_table_request more robust
Explicitly clear cfg80211 scan cache to avoid issues with old BSS
entries from previous test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-31 11:51:25 +02:00
Matthew Wang
69ccc557d8 wpa_supplicant: Fall back to avg_signal in roaming decision
Some drivers (e.g. Marvell WiFi) don't report avg_beacon_signal, but
it's still useful to poll for the signal again when a roaming decision
needs to be made. Use si.avg_signal when si.avg_beacon_signal is not
available.

Signed-off-by: Matthew Wang <matthewmwang@chromium.org>
2019-12-31 00:23:42 +02:00
Emmanuel Grumbach
7e7b23e229 Update throughput estimate for the current BSS based on signal poll
We saw that on certain platforms in certain places we keep switching
between two APs and eventually get the same RSSI. Debugging showed that
we have a very big difference between the two antennas.

Ant A can hear AP A very well (-60) but AP B very bad (-80)
Ant B can hear AP B very well (-60) but AP A very bad (-80)

When the device associates to AP A, it'll learn to use Ant A. If the
device uses one single antenna to receive the scan results, it may hear
the AP it is currently associated to on the second antenna and get bad
results. Because of that, the wpa_supplicant will roam to the other AP
and the same scenario will repeat itself:

Association to AP A (Ant A reports -60).
Scan on Ant A: AP A: -60, AP B: -80
Scan on Ant B: AP A: -80, AP A: -60 ==> ROAM.

Association to AP B (Ant B reports -60)
Scan on Ant A: AP A: -60, AP B: -80 ==> ROAM

Etc...

Improve this by querying the signal level of the current AP using
drv_signal_poll() instead of relying on the signal level that we get
from the scan results. Also update the throughput estimate based on the
likely more accurate values for the current association.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2019-12-31 00:21:37 +02:00
Emmanuel Grumbach
ad06ac0b04 Move throughput estimation into a helper function
This is a step towards allowing this functionality to update the scan
result -based values with the values from a signal poll for the current
BSS.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2019-12-31 00:17:04 +02:00
Emmanuel Grumbach
ef1a45f28a Move scan/roaming related defines to a header file
This is a step towards allowing these values to be used in both scan.c
and events.c.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2019-12-31 00:04:33 +02:00
Emmanuel Grumbach
98ea9d5d51 Use local variables for current BSS signal strength in roaming
This is a step towards allowing these values to be determined based on
signal poll instead of scan results.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
2019-12-30 23:57:47 +02:00
Jouni Malinen
7aa03cfa7b tests: Make ap_hs20_eap_tls more robust
Explicitly clear cfg80211 scan cache to avoid issues with old BSS
entries from previous test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-30 22:07:27 +02:00
Jouni Malinen
78e931e7f9 tests: Fix sigma_dut_sae_h2e_rsnxe_mismatch to clear sae_pwe
sae_pwe=1 could be left configured when exiting this test case since
sigma_dut does not guarantee the default value to be restored. This
could result in test case failures, e.g., in the following sequence:
sigma_dut_sae_h2e_rsnxe_mismatch sae_pwe_h2e_only_ap_sta_forcing_loop

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-30 19:32:28 +02:00
Ethan Everett
22319c7fed RADIUS client: fix extra retry before failover
This commit changes the failover behavior of RADIUS client. Commit
27ebadccfb ("RADIUS client: Cease endless retry for message for
multiple servers") changed the retry logic, causing RADIUS client to
wait RADIUS_CLIENT_NUM_FAILOVER + 1 timeouts before failing over the
first time. Prior to that commit, RADIUS client would wait
RADIUS_CLIENT_NUM_FAILOVER timeouts before each failover. This was
caused by moving the entry->attempts > RADIUS_CLIENT_NUM_FAILOVER
comparison to before the retry attempt, where entry->attempts is
incremented.

The commit in question set entry->attempts in radius_change_server to 1
instead of 0, so RADIUS client would still only wait
RADIUS_CLIENT_NUM_FAILOVER timeouts for subsequent failovers, the same
as the original behavior.

This commit changes the comparison so the initial failover now happens
after waiting RADIUS_CLIENT_NUM_FAILOVER timeouts, as it did originally.
It also changes the RADIUS_CLIENT_MAX_FAILOVER comparison to prevent an
additional attempt to the primary server after the final failover.

Signed-off-by: Ethan Everett <ethan.everett@meraki.net>
2019-12-30 19:13:51 +02:00
Jouni Malinen
54c154d2c9 tests: radius_acct_unreachable2 to detect retransmissions earlier
It looks like this test case can start showing failures with a change in
the retransmission limit behavior for a server change. Check for
retransmissions every second instead of only at the end of the four
second wait to avoid this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-30 19:13:51 +02:00
Ilan Peer
7bcb63913a tests: Extend the timeout for some SAE error case tests
Commit 407879b690ba ("mac80211: Adjust SAE authentication timeout") in
the kernel tree increased the SAE authentication timeout. This caused
some error case tests to fail. To fix this, extend the timeout for some
error case tests.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2019-12-30 18:57:40 +02:00
Alfonso Sánchez-Beato
02c21c02d0 wpa_supplicant: Do not disconnect on deinit if WoWLAN is enabled
Do not disconnect on interface deinit when WoWLAN is enabled, so we can
boot the system with WoWLAN after S5 (poweroff).

Signed-off-by: Alfonso Sanchez-Beato <alfonso.sanchez-beato@canonical.com>
2019-12-30 18:51:06 +02:00
Matteo Croce
82ba4f2d1b nl80211: Add a driver ops function to check WoWLAN status
Add function that returns whether WoWLAN has been enabled for the device
or not.

Signed-off-by: Alfonso Sanchez-Beato <alfonso.sanchez-beato@canonical.com>
2019-12-30 18:46:29 +02:00
Bilal Hatipoglu
59536a33d8 wpa_cli: WPS-PIN-ACTIVE and WPS-CANCEL events for action scripts
These events were added in commit b1b62a1364 ("WPS: Add WPS-PIN-ACTIVE
and WPS-CANCEL events").

Signed-off-by: Bekir Celik <bekir.celik@airties.com>
Signed-off-by: Bilal Hatipoglu <bilal.hatipoglu@airties.com>
2019-12-30 18:36:57 +02:00
Jouni Malinen
4153243932 tests: Make wps_reg() test cases more robust
Explicitly clear cfg80211 scan cache to avoid issues with old BSS
entries from previous test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-30 00:22:23 +02:00
Jouni Malinen
b0621b083d Call hostapd_allowed_address() directly from handle_probe_req()
ieee802_11_allowed_address() did not really do anything useful for the
call from handle_probe_req(), so replace that with a direct call to
hostapd_allowed_address() and make ieee802_11_allowed_address() a static
function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-29 23:44:32 +02:00
Michael Braun
963681723f Fix possible memory leak of RADIUS data in handle_auth()
When returning from handle_auth() after ieee802_11_allowed_address()
returned HOSTAPD_ACL_ACCEPT, but before ieee802_11_set_radius_info() has
been called, identity, radius_cui, and psk might not have been consumed.

Fix this by avoiding the need to free these variables at all.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2019-12-29 23:43:55 +02:00
Michael Braun
d4ceaafc24 Make hostapd_copy_psk_list() non-static
Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2019-12-29 23:34:01 +02:00
Michael Braun
29024efd18 Move the RADIUS cached attributes into a struct
This makes it easier to pass these around and to add new attributes.

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
2019-12-29 23:33:57 +02:00
Jouni Malinen
3cd4db231a FT: Do not deliver RRB messages locally without matching FT/SSID
For FT protocol to work, the BSSs need to be operating an FT AKM with
the same SSID and mobility domain. The previous commit covered the
mobility domain, this covers the other prerequisites. This reduces
unnecessary load from having to allocate queued messages for interfaces
that cannot have valid data.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-29 20:41:41 +02:00
Jinglin Wang
c133c785df FT: Check mobility domain when sending RRB message to local managed BSS
Fast BSS Transition requires related APs operating in the same mobility
domain. Therefore, we can check whether the local managed BSS is
operating the same mobility domain before sending multicast/unicast
messages to it. This reduces unnecessary load from having to allocate
queued messages for interfaces that cannot have valid data.

Signed-off-by: Jinglin Wang <bryanwang@synology.com>
Signed-off-by: MinHong Wang <minhongw@synology.com>
2019-12-29 20:32:07 +02:00
Jouni Malinen
0d0baf9f17 tests: RRB wildcard R0KH/R1KH pull with multiple BSSs
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-29 20:32:07 +02:00
Jouni Malinen
a422d9b4c2 RRB: More debug prints for local delivery
This makes it easier to figure out how frames are delivered directly
between BSSs operated within a single hostapd process.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-29 20:17:57 +02:00
Jouni Malinen
7b1105afef RRB: Do not reorder locally delivered messages
Add new messages to the end of the l2_oui_queue instead of inserting
them at the beginning so that the dl_list_for_each_safe() iteration in
hostapd_oui_deliver_later() goes through the messages in the same order
they were originally queued.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-29 20:17:57 +02:00
Jinglin Wang
4834c6869d FT: Fix hostapd_wpa_auth_oui_iter() iteration for multicast packets
When using FT wildcard feature, the inter-AP protocol will send
broadcast messages to discover related APs.

For example,
12/6 16:24:43 FT: Send PMK-R1 pull request to remote R0KH address
    ff:ff:ff:ff:ff:ff
12/6 16:24:43 FT: Send out sequence number request to
    ff:ff:ff:ff:ff:ff

If you have multiple interfaces/BSSs in a single hostapd process,
hostapd_wpa_auth_oui_iter() returned 1 after the first interface was
processed. Iteration in for_each_interface() will be stopped since it
gets a non-zero return value from hostapd_wpa_auth_oui_iter().

Even worse, the packet will not be sent to ethernet because
for_each_interface() returns non-zero value. hostapd_wpa_auth_send_oui()
will then return data_len immediately.

To prevent this, hostapd_wpa_auth_oui_iter() should not return 1 after
any successful transmission to other interfaces, if the dst_addr of
packet is a multicast address.

Signed-off-by: Jinglin Wang <bryanwang@synology.com>
Signed-off-by: MinHong Wang <minhongw@synology.com>
2019-12-29 20:09:52 +02:00
Daniel Kobras
18780c6d67 OpenSSL: Add support for TPM2-wrapped keys
If the header of a PEM-formatted certificate or key in private_key file
indicates that it is wrapped with a TPM2 key, try to autoload the
appropriate OpenSSL engine that can transparently unwrap the key. This
enables systems to use TPM2-wrapped keys as drop-in replacements to
ordinary SSL keys.

This functionality needs
https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git
to be installed as an OpenSSL engine.

Signed-off-by: Daniel Kobras <kobras@puzzle-itc.de>
2019-12-29 11:28:19 +02:00
Jouni Malinen
deb92a6bf9 tests: Make ap_hs20_gas_while_associated_with_pmf more robust
Explicitly clear cfg80211 scan cache to avoid issues with old BSS
entries from previous test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 23:38:36 +02:00
Jouni Malinen
94e66da6df tests: ignore_broadcast_ssid and SSID List or Short SSID List mismatch
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 23:21:14 +02:00
Jouni Malinen
974f84bb73 Fix ignore_broadcast_ssid behavior with SSID List and Short SSID List
ignore_broadcast_ssid=1 (or 2) were practically ignored if the Probe
Request frame included the SSID List or Short SSID List elements. Fix
this by requiring exact SSID match whenever ignore_broadcast_ssid is in
use regardless how SSID parameters are set in the Probe Request frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 23:19:44 +02:00
Jouni Malinen
d5c39e1488 tests: Scan using SSID List and Short SSID List elements
Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 23:14:47 +02:00
Andrei Otcheretianski
1c7f652f9e AP: Support Short SSID List element in Probe Request frames
According to IEEE P802.11ax/D6.0, 11.1.4.3.4 (Criteria for sending a
response), AP should answer Probe Request frames if either SSID or Short
SSID matches. Implement this part of the Short SSID use for the BSS (the
collocated 6 GHz BSS case is not covered in this commit).

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-12-28 23:13:58 +02:00
Andrei Otcheretianski
522450b7b1 AP: Determine Short SSID value for the BSS
This can be used in the future to implement support for RNR and scanning
extensions using a shorter field for the SSID.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2019-12-28 22:32:14 +02:00
Felix Fietkau
41b06b065e mesh: Fix race condition in mesh mpm new peer handling
When wpa_supplicant receives another new peer event before the first one
has been processed, it tries to add a station to the driver a second
time (which fails) and then tears down the station entry until another
event comes in.

Fix this by only adding a station to the driver if it didn't exist
already.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2019-12-28 20:56:03 +02:00
Zefir Kurtisi
ef48f1bfb3 Ensure authenticator session timer is applied with wired driver
We use the wired driver for wired port authentication with a slight
extension to add the port into a bridge upon successful authentication
and to remove it from the bridge when the session terminates.

Our expectation was that the Session-Timeout configuration at the RADIUS
server is respected, i.e. the session is terminated and would need
re-authentication - like it is working for WLAN sessions over the
nl80211 driver. Alas, it turned out the session is not terminated with
the wired driver.

It turned out that when ap_handle_session_timer() is executed, the
sta->flags of the wired port has only the WLAN_STA_AUTHORIZED bit set.
The WLAN_STA_AUTH bit, which is used to check whether the STA needs to
be de-authenticated, is missing.

Extend the check for any of the WLAN_STA_(AUTH | ASSOC | AUTHORIZED)
bits to solve this issue with the wired driver. That should not have any
side-effect for the WLAN cases since WLAN_STA_AUTH is expected to always
be set for those when there is an ongoing session and separate checks
for ASSOC and AUTHORIZED don't change this.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
2019-12-28 20:50:05 +02:00
Jouni Malinen
44adf014ff tests: Fix he_supported() check with python3
This was making error paths on HE test cases fail with:
TypeError: a bytes-like object is required, not 'str'

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 19:52:47 +02:00
Jouni Malinen
d0cd750435 tests: Make ap_hs20_roaming_consortium more robust
Explicitly clear cfg80211 scan cache to avoid issues with old BSS
entries from previous test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 19:05:50 +02:00
Jouni Malinen
ece9aa627a tests: Make ap_cipher_mixed_wpa_wpa2 more robust
Explicitly clear cfg80211 scan cache to avoid issues with old BSS
entries from previous test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 19:03:22 +02:00
Lubomir Rintel
a383db0646 defconfig: Enable MACsec
Debian and Fedora enable it, NetworkManager uses it.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
2019-12-28 18:28:10 +02:00
Jouni Malinen
53661e3a9a Allow debug log to be written to both syslog and file
If hostapd or wpa_supplicant is started with both -s and -f command line
arguments, debug log ended up being written only into syslog and the log
file was left empty. Change this so that the log entries will be written
to both places. Either -s or -f (or both) results in debug log to stdout
being disabled which was already the case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 18:28:10 +02:00
Jouni Malinen
53a96146fb tests: Ignore fe80::ff:fe00:300 NS from AP for now in proxyarp tests
This NS seems to go out from the AP interface every now and then and it
makes proxyarp_open_ebtables_ipv6 fails inconveniently often. That frame
should not really be there, but it's not clear what exactly is needed to
stop it going through. It does not come from the test operations
themselves, so ignore it for now to keep test results cleaner.

Signed-off-by: Jouni Malinen <j@w1.fi>
2019-12-28 17:17:05 +02:00