Commit message (Collapse)AuthorAgeFilesLines
* Add support for an optional context parameter to TLS exporterErvin Oro2019-03-1616-24/+62
| | | | | | | | | | | | | Allow an additional context value to be passed to TLS exporter as specified in RFC 5705 section 4. This does not yet implement it for the internal TLS implementation. However, as currently nothing uses context yet, this will not break anything right now. WolfSSL maintainers also stated that they are not going to add context support yet, but would look into it if/when this is required by a published draft or a standard. Signed-off-by: Ervin Oro <ervin.oro@aalto.fi>
* tests: Python coding style cleanup (pylint3 bad-whitespace)Jouni Malinen2019-03-16102-7648/+7663
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: DPP and provisoning DPP and legacy AKMsJouni Malinen2019-03-161-4/+103
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Support new legacy+DPP config object credentialsJouni Malinen2019-03-163-41/+113
| | | | | | | | This allows devices supporting DPP protocol version 2 or newer to provision networks that enable both the legacy (PSK/SAE) and DPP credentials. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Support DPP and SAE in the same network profileJouni Malinen2019-03-163-6/+24
| | | | | | | | | Make both DPP and SAE code aware of the cases where the same network profile is configured to enable both DPP and SAE. Prefer DPP over SAE in such cases and start DPP/SAE exchanges based on what both the station and the AP support. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP: Clean up configuration parsingJouni Malinen2019-03-164-299/+195
| | | | | | | | Share a single parsing implementation for both hostapd and wpa_supplicant to avoid code duplication. In addition, clean up the implementation to be more easily extensible. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Use matching prefix for the ProxyARP IPv6 log filesJouni Malinen2019-03-151-0/+1
| | | | | | | | The "_ipv6" part of the file name was missing and this resulted in file names that conflicted with the IPv4 test cases and could overwrite logs for those. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Decode brctl showmacs output for the debug logJouni Malinen2019-03-151-1/+1
| | | | | | This is needed with python3 to make the debug log more readable. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Remove unnecessary second wait from connect_cmd_reject_assocJouni Malinen2019-03-151-8/+5
| | | | | | | | | It does not look like there would be two CTRL-EVENT-ASSOC-REJECT events here, so only check the first one instead of requiring both to be received with status_code=27. This test case could fail based on the second connection attempt (due to that extra event wait) timing out. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Make parallel-vm.py log easier to use for debugging failuresJouni Malinen2019-03-151-1/+13
| | | | | | | | | | Print a list of full paths to log files from failed test cases both the parallel.log and stdout so that they can be easily opened for analysis. In addition, renumber the VM lines in the <timestamp>-parallel.log to match the i+1 numbering used in the log directories and UI that is tracking test execution. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Make ap_wpa2_eap_peap_params more robustJouni Malinen2019-03-151-2/+5
| | | | | | | | | One of the steps that expected failure due to PMKID mismatch did not stop connection attempts. This could result in the following test step failing due to the previous profile with peaplabel=1 getting used to derive the MSK incorrectly. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Clear pending monitor events before starting scanJouni Malinen2019-03-151-0/+2
| | | | | | | | | | The wait_event() call for scan completion could have processed a previously received event from a prior scan instead of the newly started one. This could result in flush_scan_cache() assuming there are still results in the cache even though the scan request to clear the cache had not even be started yet. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: External radio work and DISCONNECT clearing connection attemptJouni Malinen2019-03-151-0/+30
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Remove pending connect and sme-connect radio works on disconnectJouni Malinen2019-03-151-0/+2
| | | | | | | | | | | | | | There was a race condition in a case where a new connection attempt was scheduled as a pending radio work and that was followed by a DISCONNECT command before the pending radio work is started. The pending radio work would not have been deleted in that sequence and instead, it was executed when the radio became available next. This could result in an unexpected connection after an explicit request to disconnect. Fix this by removing pending connect and sme-connect radio works on disconnection request. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Python coding style cleanup (pylint3 unneeded-not)Jouni Malinen2019-03-1512-27/+27
| | | | | | | Use more readable "foo not in bar" construction for the couple of places that did "not foo in bar". Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Fix run-tests.py module file (-l) handlingJouni Malinen2019-03-151-1/+1
| | | | | | | | Prior cleanup broke the indentation here and made the addition of test cases unreachable. Fixes: 0663ae22ffc7 ("tests: Do not use tabs for indentation") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* OpenSSL: Fix build with OpenSSL 1.0.2Jouni Malinen2019-03-141-1/+1
| | | | | | | | X509_get_subject_name() in OpenSSL 1.0.2 does not mark its argument as a const pointer, so need to type cast this to avoid a build warning. Fixes: 841205a1ceb1 ("OpenSSL: Add 'check_cert_subject' support for TLS server") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: SAE anti-clogging request with mesh BSSJouni Malinen2019-03-142-18/+86
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Reduce queue wait time for pending Authentication framesJouni Malinen2019-03-141-2/+2
| | | | | | | | | | | | | | | The queue_len * 50 ms wait time was too large with the retransmission timeouts used in the mesh case for SAE. The maximum wait of 750 ms was enough to prevent successful completion of authentication after having hit the maximum queue length. While the previous commit is enough to allow this to complete successfully in couple of retries, it looks like a smaller wait time should be used here even if it means potentially using more CPU. Drop the processing wait time to queue_len * 10 ms so that the maximum wait time is 150 ms if the queue is full. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* SAE: Improved queuing policy for pending authentication framesJouni Malinen2019-03-141-11/+60
| | | | | | | | | | | | | | | | | | | | The previous design of simply queuing all SAE commit messages was not exactly good at allowing recovery from a flooding state if the valid peer used frequent retransmissions of the SAE message. This could happen, e.g., with mesh BSSs using SAE. The frequent retransmissions and restarts of SAE authentication combined with SAE confirm messages bypassing the queue ended up in not being able to finish SAE exchange successfully. Fix this by modifying the queuing policy to queue SAE confirm messages if there is a queued SAE commit message from the same peer so that the messages within the same exchange do not get reordered. In addition, replace queued SAE commit/confirm message if a new matching message is received from the same peer STA. This is useful for the case where the peer restarts SAE more quickly than the local end has time to process the queued messages. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: DPP and Enrollee rejecting Config ObjectJouni Malinen2019-03-143-0/+56
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Testing option for Config Object rejctionJouni Malinen2019-03-143-0/+13
| | | | | | | Add a new testing option to force Enrollee to reject the receive Config Object. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Configuration Result message generation and processingJouni Malinen2019-03-144-30/+456
| | | | | | | | Use this new message from Enrollee to Configurator to indicate result of the config object provisioning if both devices support protocol version 2 or newer. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: DPP test cases to handle new behavior due to config resultJouni Malinen2019-03-141-13/+23
| | | | | | | | The new DPP Configuration Result message can result in a bit different behavior at the end of the configuration exchange and some of the test cases need more flexibility to work with that DPP2 behavior. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Make DPP version number support available over control interfaceJouni Malinen2019-03-142-0/+44
| | | | | | | "GET_CAPABILITY dpp" can now be used to determine which version number of DPP is supported in the build. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Fix dpp_qr_code_auth_initiator_enrollee to clear gas_address3Jouni Malinen2019-03-131-0/+7
| | | | | | | | | | | | gas_address3 was set to 1 in this test case, but it was never cleared. That can result in unexpected behavior in other test cases that dpeends on gas_address3 being in its default value 0. Clear the parameter explicitly to avoid this. This resulted in an error in the following test sequence: dpp_qr_code_auth_initiator_enrollee gas_anqp_address3_ap_forced Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Make WNM test case scan clearing more robustJouni Malinen2019-03-131-5/+11
| | | | | | | | | | There was a race condition on starting the flush_scan_cache() operations if a scan happened to be in progress when the test case ended since the ABORT_SCAN success case did not wait for the pending scan operation to be completed. Wait for the scan completion event in addition to the disconnection event if the ABORT_SCAN command is accepted. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* More robust timer_tick_enabled trackingJouni Malinen2019-03-131-6/+7
| | | | | | | | | | | | | Do not set sm->timer_tick_enabled if the eloop_register_timeout() call fails so that the next attempt to enable the timer in eapol_enable_timer_tick() can try to recover from unexpected eloop failures. This should not really be needed in practical use cases, but certain out-of-memory test cases can trigger allocation failure in eloop_register_timeout() and if that happens, the previous EAPOL supplicant state machine implementation got pretty much completely stuck for any operation needing the timer. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Make TDLS test case scan clearing more robustJouni Malinen2019-03-132-6/+12
| | | | | | | | | | There was a race condition on starting the flush_scan_cache() operations if a scan happened to be in progress when the test case ended since the ABORT_SCAN success case did not wait for the pending scan operation to be completed. Wait for the scan completion event in addition to the disconnection event if the ABORT_SCAN command is accepted. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Decode station dump output to restore pre-python3 behaviorJouni Malinen2019-03-131-3/+3
| | | | | | | | These TDLS test cases missed Popen() result decode() calls in the earlier python3 compatibility changes. Add those to make debug log more readable. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Make DPP protocol failure testing more robustJouni Malinen2019-03-131-0/+4
| | | | | | | | | | Wait explicitly for the DPP-NOT-COMPATIBLE event when going through protocol testing with local failures instead of just waiting for a fixed 0.1 second duration. This prevents a test failure at least in dppauth_resp_status_failure in a case where the failing operation may be delayed under heavy CPU load. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Clear scan results from dev5 in WPS testingJouni Malinen2019-03-131-0/+4
| | | | | | | | | Test case sequence "ap_wps_ap_scan_2 ap_wps_pbc_2ap" resulted in a failure due to a scan entry being left behind from the first test case and the second one ending up using that obsolete result during WPS_PBC processing. Fix this by clearing the scan results explicitly on dev5. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FILS+FT: STA mode validation of PMKR1Name in initial MD associationJouni Malinen2019-03-131-2/+22
| | | | | | | | | | | Verify that the AP uses matching PMKR1Name in (Re)Association Response frame when going through FT initial mobility domain association using FILS. Thise step was missing from the initial implementation, but is needed to match the IEEE 802.11ai requirements for explicit confirmation of the FT key hierarchy (similarly to what is done in FT 4-way handshake when FILS is not used). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FILS+FT: AP mode processing of PMKR1Name in initial MD associationJouni Malinen2019-03-136-2/+51
| | | | | | | | | | | | | Derive PMKR1Name during the FILS authentication step, verify that the station uses matching PMKR1Name in (Re)Association Request frame, and add RSNE[PMKR1Name] into (Re)Association Response frame when going through FT initial mobility domain association using FILS. These steps were missed from the initial implementation, but are needed to match the IEEE 802.11ai requirements for explicit confirmation of the FT key hierarchy (similarly to what is done in FT 4-way handshake when FILS is not used). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* FILS: Do not try to add PMKSA cache entry if caching is disabledJouni Malinen2019-03-131-1/+2
| | | | | | | | | This gets rid of a confusing error message "FILS: Failed to add PMKSA cache entry based on ERP" for cases where PMKSA caching is disabled in hostapd (disable_pmksa_caching=1). Functionality remains unchanged, i.e., no cache entry was added before this change either. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Vendor attribute to enable or disable TWT request supportArif Hussain2019-03-131-0/+6
| | | | | | Add a new QCA vendor attribute for testing purposes. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* nl80211: Clear keys from heap memory before freeing it for get_seqnumvamsi krishna2019-03-131-0/+1
| | | | | | | | | | | | | NL80211_CMD_GET_KEY response may return the actual key in addition to the last used sequence number that we need. That might result in a key being left in unused heap memory after the buffer is freed. Explicitly clear the message payload with the possibly included key material from heap memory before returning from the handler function (and having libnl free the nlmsg) when key information is obtained from the driver using the NL80211_CMD_GET_KEY command. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* P2P: Fix ACS offloading behavior with p2p_no_group_iface=1Jayachandran Sreekumaran2019-03-132-0/+3
| | | | | | | | | | | | | wpa_s->p2p_go_do_acs was not cleared during P2P group deletion and that resulted in the case of no separate group interface continuing to assume ACS was to be used for consecutive GO starts even if they tried to specify a frequency. Fix this by explicitly clearing wpa_s->p2p_go_do_acs during P2P group deletion and also clear this when processing the P2P_GROUP_ADD if the parameters do not request ACS to be used. Fixes: 37ed3254de22 ("P2P: ACS offload for the autonomous GO") Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* nl80211: Exclude PMK when sending NL80211_CMD_DEL_PMKSA explicitlyvamsi krishna2019-03-131-1/+2
| | | | | | | | | | Add a check in nl80211 driver layer to not include PMK while sending NL80211_CMD_DEL_PMKSA explicitly. Though it is taken care already in supplicant layer by setting the pmk_len to zero, it would be good to have a check in nl80211 layer in order to avoid future accidental inclusions of keying material in commands that do not need them. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: DPP and duplicated Authentication ResponseJouni Malinen2019-03-131-0/+53
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Protocol version indicationJouni Malinen2019-03-132-0/+65
| | | | | | | | Send out the new Protocol Version attribute in Authentication Request/Response messages and determine the peer version based on this attribute. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* DPP2: Build configuration flags for DPP version 2 supportJouni Malinen2019-03-134-0/+12
| | | | | | | | | | The new CONFIG_DPP2=y build option for hostapd and wpa_supplicant is used to control whether new functionality defined after the DPP specification v1.0 is included. All such functionality are considered experimental and subject to change without notice and as such, not suitable for production use. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Make sae_anti_clogging_during_attack more robustJouni Malinen2019-03-121-1/+1
| | | | | | | Accept a smaller number of token responses in second round to avoid failing this test case as frequently. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Disable fragm/rts_threshold after testing itJouni Malinen2019-03-121-0/+13
| | | | | | | | | | | The configurated fragmentation/RTS threshold value survives AP mode interface restarts, so these values need to be explicitly cleared back to default (disabled). This fixes an issue where some test cases could not work correctly if fragmentation on the interface was enabled. For example, this combination used to fail: ap_fragmentation_open ap_hs20_fetch_osu Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Allow fragmentation/RTS threshold to be disabled explicitlyJouni Malinen2019-03-123-8/+10
| | | | | | | | | | | | | | | | | hostapd configuration parameters fragm_threshold and rts_threshold were documented to disable the threshold with value -1 and not change driver configuration if the parameter is not included. However, -1 was mapped into not changing the driver value, so the explicit disabling part did not work. Replace the default values for these to be -2 so that explicitly set configuration value -1 can be distinguished from the case of not including the parameter. Map the -1 value to a driver request to disable the threshold. Ignore any error from this operation just in case to avoid breaking functionality should some drivers not accept the (u32) -1 value as a threshold value request to disable the mechanism. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Fix scan_specific_bssid in case Beacon frame is seenJouni Malinen2019-03-121-1/+1
| | | | | | | | | | | | | | | The first scan for the unknown BSSID could have been timed in a manner that allows passive scanning to find the real AP even if that AP's beacon interval was 1000 (e.g., heavy CPU load changed timing so that the AP beaconing started at suitable time). The check for BSS result entry not including Probe Response frame was comparing incorrect BSS entries (bss2 vs. bss1) which resulted in the test case claiming failure even when there was no unexpected Probe Response frame. Fix this by comparing the beacon_ie and ie parameters from the same BSS entry (bss1). Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: Make AP discovery more robust in eap_proto test casesJouni Malinen2019-03-121-4/+54
| | | | | | | | | | | | | | Number of these test cases start connection attempt in wpa_supplicant and then expected a specific failure to happen relatively quickly. This could result in timeouts if the first scanning round missed to find the AP (e.g., due to CPU load pushing out the Probe Response frame long enough for the station having left the channel) and wpa_supplicant then waiting five seconds before starting a new scan. Make this more robust by scanning explicitly for the specific BSSID before starting the connection attempt. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* Add a vendor subcommand QCA_NL80211_VENDOR_SUBCMD_MPTA_HELPER_CONFIGstonez2019-03-121-0/+98
| | | | | | | | | This subcommand is used to update Zigbee state and specified WLAN durations to enhance success ratio of Zigbee joining network. The attributes defined in enum qca_mpta_helper_vendor_attr are used to deliver these parameters to the driver. Signed-off-by: stonez <stonez@codeaurora.org>
* Add QCA vendor command/event and attributes for peer rate statisticsAmir Patel2019-03-121-0/+58
| | | | | | | | | Peer rate statistics is per-peer cached data in the driver. These statistics needs to be flushed to a user space application on synchronous/asynchronous events. This command is used as an event from the driver to flush per-peer cached statistics to the application. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
* tests: SAE group negotiation (no match)Jouni Malinen2019-03-111-0/+19
| | | | Signed-off-by: Jouni Malinen <jouni@codeaurora.org>