Commit message (Collapse)AuthorAgeFilesLines
* Update copyright notices for the new year 2019Jouni Malinen2019-01-0116-21/+21
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Use different country in p2p_go_move_reg_changeJouni Malinen2019-01-011-2/+10
| | | | | | | | | | | | | | Use of country=00 (world roaming) seemed to not work anymore with the current cfg80211 regulatory implementation since the existing channel is left enabled when moving to country=00. Use a specific country code that does enforce the selected channel from being used anymore to make this test case pass again. The change in cfg80211 behavior is from the kernel commit 113f3aaa81bd ("cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces"). Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: dot1xAuthSessionUserNameJouni Malinen2019-01-012-1/+32
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* Use internal EAP server identity as dot1xAuthSessionUserNameJouni Malinen2019-01-011-2/+12
| | | | | | | | | If the internal EAP server is used instead of an external RADIUS server, sm->identity does not get set. Use the identity from the internal EAP server in such case to get the dot1xAuthSessionUserName value in STA MIB information. Signed-off-by: Jouni Malinen <j@w1.fi>
* browser: Replace deprecated gtk_window_set_wmclass()Jouni Malinen2019-01-011-2/+1
| | | | | | | Use gtk_window_set_role() instead of the deprecated gtk_window_set_wmclass(). Signed-off-by: Jouni Malinen <j@w1.fi>
* HTTP (curl): Replace deprecated ASN1_STRING_data()Jouni Malinen2019-01-011-4/+13
| | | | | | | Use ASN1_STRING_get0_data() instead of the older ASN1_STRING_data() that got deprecated in OpenSSL 1.1.0. Signed-off-by: Jouni Malinen <j@w1.fi>
* HTTP (curl): Fix build with newer OpenSSL versionsBen Greear2019-01-011-1/+5
| | | | | | | | | The SSL_METHOD patching hack to get proper OCSP validation for Hotspot 2.0 OSU needs cannot be used with OpenSSL 1.1.0 and newer since the SSL_METHOD structure is not exposed anymore. Fall back to using the incomplete CURLOPT_SSL_VERIFYSTATUS design to fix the build. Signed-off-by: Ben Greear <greearb@candelatech.com>
* HTTP (curl): Use DEFINE_STACK_OF() with newer OpenSSL versionsBen Greear2019-01-011-0/+8
| | | | | | | SKM_sk_num() is not available anymore, so use DEFINE_STACK_OF() to get the appropriate accessor functions. Signed-off-by: Ben Greear <greearb@candelatech.com>
* HTTP (curl): Use SSL_get_SSL_CTX() helperBen Greear2019-01-011-2/+2
| | | | | | | The direct ssl->ctx access are not allowed anymore in newer OpenSSL versions, so use the SSL_get_SSL_CTX() helper for this. Signed-off-by: Ben Greear <greearb@candelatech.com>
* HS 2.0: Fix EST compilation with OpenSSL 1.1.0 and newerBen Greear2019-01-011-0/+13
| | | | | | | SKM_sk_value() is not available anymore, so use DEFINE_STACK_OF() to get the appropriate accessor functions. Signed-off-by: Ben Greear <greearb@candelatech.com>
* hostap: Silence compiler warnings about IFNAMSIZ buffersJouni Malinen2019-01-011-2/+9
| | | | | | | Report interface name truncation and reject such cases in Host AP driver initialization of the AP interface. Signed-off-by: Jouni Malinen <j@w1.fi>
* OCE: RSSI-based rejection to consider Authentication frames (AP)Jouni Malinen2019-01-012-3/+10
| | | | | | | | | | Try to make RSSI-based rejection of associating stations a bit less likely to trigger false rejections by considering RSSI from the last received Authentication frame. Association is rejected only if both the Authentication and (Re)Association Request frames are below the RSSI threshold. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Add RSSI based association rejection testsBeni Lev2019-01-011-0/+153
| | | | Signed-off-by: Beni Lev <beni.lev@intel.com>
* tests: Add a command for setting TX power/RSSIBeni Lev2019-01-011-0/+17
| | | | | | | | With this command, RSSI signal can be controlled. Due to restrictions in kernel, only values in the range of [-30, -50] can be used. The command is implemented by changing the TX power. Signed-off-by: Beni Lev <beni.lev@intel.com>
* OCE: Add RSSI based association rejection support (AP)Beni Lev2019-01-017-6/+66
| | | | | | | | | An AP might reject a STA association request due to low RSSI. In such case, the AP informs the STA the desired RSSI improvement and a retry timeout. The STA might retry to associate even if the RSSI hasn't improved if the retry timeout expired. Signed-off-by: Beni Lev <beni.lev@intel.com>
* OCE: Add RSSI based association rejection support (STA)Beni Lev2019-01-018-17/+88
| | | | | | | | | | | | | | An AP might refuse to connect a STA if it has a low RSSI. In such case, the AP informs the STA with the desired RSSI delta and a retry timeout. Any subsequent association attempt with that AP (BSS) should be avoided, unless the RSSI level improved by the desired delta or the timeout has expired. Defined in Wi-Fi Alliance Optimized Connectivity Experience technical specification v1.0, section 3.14 (RSSI-based association rejection information). Signed-off-by: Beni Lev <beni.lev@intel.com>
* tests: P2P cancel join-group using p2pdev and no separate group interfaceJouni Malinen2019-01-011-0/+23
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* P2P: Set global->p2p_group_formation in wpas_p2p_join_start() for p2pdevAloni, Adiel2019-01-011-9/+10
| | | | | | | | | | | | | When a dedicated P2P device interface is used, the global->p2p_group_formation was not set in wpas_p2p_join_start() if no separate group interface is used. This would cause that in case of a failure in group formation, the cleaning of p2p_in_provisioning is done on the wrong interface. Furthermore, P2P_CANCEL command could not be used to stop such a group-join operation. Fix this by setting the global->p2p_group_formation correctly in case that the group interface is reusing wpa_s->parent. Signed-off-by: Adiel Aloni <adiel.aloni@intel.com>
* tests: Clear regdom state in go_neg_forced_freq_diff_than_bss_freqJouni Malinen2019-01-011-1/+3
| | | | | | Be more careful with cleaning up the regdom state in cfg80211. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Make dpp_pkex_no_responder handle enabled 5 GHz channelsJouni Malinen2019-01-011-5/+9
| | | | | | | | | | It was possible for the 5 GHz PKEX channels to be enabled, e.g., when running "ap_ht40_csa2 dpp_pkex_no_responder" test sequence, and that resulted in a failure in dpp_pkex_no_responder due to the unexpectedly long wait needed for the DPP-FAIL event. Increase the wait time to allow for 5 GHz PKEX channels to be probed. Signed-off-by: Jouni Malinen <j@w1.fi>
* Update wpa_supplicant channel list on FLUSHJouni Malinen2019-01-013-6/+13
| | | | | | | | Try to make sure the driver channel list state is synchronized with wpa_supplicant whenever explicitly clearing state (e.g., between hwsim test cases). Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Debug print channel listJouni Malinen2019-01-011-2/+61
| | | | | | | This makes it a bit easier to figure out how channel list update from the kernel is taken into use. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Check per-wiphy specific country code between test casesJouni Malinen2019-01-011-0/+55
| | | | | | | | | | | | | | | | | This allows more accurate logging of failures related to the cfg80211 country=98 (intersection) case. This version is trying to give some more time to allow the country code to clear, but that does not seem to be sufficient with the current cfg80211 implementation for country=98 (but might be for other cases). The additional check for country=98 at the beginning of each test case is an attempt to force cfg80211 to restore world roaming state with a new association and disconnection at the station side detected after the AP side has already stopped. This is needed after the Linux kernel commit 113f3aaa81bd ("cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces"). Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Wait a bit after 'iw reg set 00' at the end of test casesJouni Malinen2019-01-017-0/+16
| | | | | | | This is needed to avoid leaving unexpected cfg80211 regulatory country code in place at the point when a test case terminates. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Clear regdom changes more robustly in FST test casesJouni Malinen2019-01-014-0/+13
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Clear regulatory setting in ap_ht_op_class_* more robustlyJouni Malinen2019-01-011-1/+7
| | | | | | | Avoid exiting the test case with regulatory domain set to something else than 00 (world roaming). Signed-off-by: Jouni Malinen <j@w1.fi>
* nl82011: Make wiphy-specific country (alpha2) available in STATUS-DRIVERJouni Malinen2018-12-311-0/+19
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Debug print details from the beacon hint eventsJouni Malinen2018-12-311-6/+49
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Add configuration option check_crl_strictSam Voss2018-12-3112-8/+36
| | | | | | | | | | | | | | | | | | | | Add the ability to ignore time-based CRL errors from OpenSSL by specifying a new configuration parameter, check_crl_strict=0. This causes the following: - This setting does nothing when CRL checking is not enabled. - When CRL is enabled, "strict mode" will cause CRL time errors to not be ignored and will continue behaving as it currently does. - When CRL is enabled, disabling strict mode will cause CRL time errors to be ignored and will allow connections. By default, check_crl_strict is set to 1, or strict mode, to keep current functionality. Signed-off-by: Sam Voss <sam.voss@rockwellcollins.com>
* wpa_cli: Allow reconnect to global interfaceBen Greear2018-12-311-34/+41
| | | | | | | | | Old code would just re-connect to a particular interface, even if user had started wpa_cli with the '-g' option. Refactor global control interface connection routine to allow it to be used in wpa_cli_reconnect(). Signed-off-by: Ben Greear <greearb@candelatech.com>
* tests: Build tests for wpa_supplicant and hostapdJouni Malinen2018-12-3112-0/+364
| | | | | | Allow multiple build configurations to be tested automatically. Signed-off-by: Jouni Malinen <j@w1.fi>
* Add internal HMAC-SHA512 implementation to fix NEED_SHA512 buildsJouni Malinen2018-12-311-0/+104
| | | | | | | | | | Build configurations with CONFIG_TLS=internal and NEED_SHA512 failed due to missing sha512.c file. Add that file even though this is not really used in the currently available configuration combinations since DPP and OWE are the only users of it and the internal crypto implementation supports neither. Signed-off-by: Jouni Malinen <j@w1.fi>
* wpa_supplicant: Fix build with !CONFIG_AP and CONFIG_CTRL_IFACE_DBUS_NEWMichal Privoznik2018-12-311-1/+32
| | | | | | | | | If the CONFIG_CTRL_IFACE_DBUS_NEW is enabled but CONFIG_AP is disabled the build fails. This is because dbus getters try to access ap_iface member of wpa_supplicant struct which is defined if and only if CONFIG_AP is enabled. Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
* mka: Log MI update failure in debug logJouni Malinen2018-12-301-1/+6
| | | | | | | One of the reset_participant_mi() callers did not log the error. Make this more consistent with the other callers. Signed-off-by: Jouni Malinen <j@w1.fi>
* nl80211: Note interface-removal-from-bridge errors in debug logJouni Malinen2018-12-301-3/+6
| | | | | | | | | One of the linux_br_del_if() calls did not log nl80211-specific entry. Make this more consistent with the other cases even though linux_br_add_if() function itself is logging an error in the ioctl() failure case (but not in the interface not found case). Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: hostapd configuration reload from file when disabledJouni Malinen2018-12-301-0/+20
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* hostapd: Add openssl_ecdh_curves configuration parameterHristo Venev2018-12-304-0/+6
| | | | | | | | | This makes it possible to use ECDSA certificates with EAP-TLS/TTLS/etc. It should be noted that when using Suite B, different mechanism is used to specify the allowed ECDH curves and this new parameter must not be used in such cases. Signed-off-by: Hristo Venev <hristo@venev.name>
* OpenSSL: Add openssl_ecdh_curves parameterHristo Venev2018-12-305-0/+90
| | | | | | | | | Some versions of OpenSSL need server support for ECDH to be explicitly enabled, so provide a new parameter for doing so and all SSL_{,CTX_}set_ecdh_auto() for versions that need it to enable automatic selection. Signed-off-by: Hristo Venev <hristo@venev.name>
* HS 2.0: DHCP broadcast-to-unicast conversion before address learningJouni Malinen2018-12-291-9/+9
| | | | | | | | | | | | | handle_dhcp() was first trying to learn the IP address of an associated STA before doing broadcast-to-unicast conversion. This could result in not converting some DHCPACK messages since the address learning part aborts processing by returning from the function in various cases. Reorder these operations to allow broadcast-to-unicast conversion to happen even if an associated STA entry is not updated based on a DHCPACK. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Add UDP checksum into DHCP frames in ProxyARP/DGAF disabled caseJouni Malinen2018-12-291-4/+13
| | | | | | | Previously, the special value 0 was used to indicate no UDP checksum. Replace that with the calculated checksum for more like use case. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Make ICV Indicator dependant on ICV lengthJaap Keuter2018-12-291-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | IEEE Std 802.1X-2010, 11.11 describes that the ICV is separate from the parameter sets before it. Due to its convenient layout the ICV Indicator 'body part' is used to encode the ICV as well. IEEE Std 802.1X-2010, 11.11.3 describes the encoding of MKPDUs. In bullet e) is desribed that the ICV Indicator itself is encoded when the ICV is not 16 octets in length. IEEE Std 802.1Xbx-2014, Table 11-7 note e) states that it will not be encoded unless the Algorithm Agility parameter specifies the use of an ICV that is not 16 octets in length. Therefore the length calculation for the ICV indicator body part must take into account if the ICV Indicator is to be encoded or not. The actual encoder of the ICV body already takes care of the rest. In practice, this change will remove the ICV Indicator parameter set (4 octets before the ICV value itself) since the only defined algorithm agility value uses an ICV of 16 octets. IEEE Std 802.1X-2010 MKPDU validation and decoding rules in 11.11.2 and 11.11.4 require the receipient to handle both cases of ICV Indicator being included or not. Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
* tests: Clear regulatory Beacon hints more robustly in TDLS test casesJouni Malinen2018-12-291-28/+20
| | | | | | | | | | | | The ap_open_tdls_vht* test cases could leave some pending regulatory Beacon hints waiting to be cleared during the following test case. This would result in a failure if the following test case expected specific regdom event behavior. For example, this caused "ap_open_tdls_vht160 dbus_country" sequence to result in failure in dbus_country. Fix this by using more robust sequence in clearing regdom state at the end of the TDLS test cases that have the AP advertising a country code. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: MKA MIB informationJouni Malinen2018-12-291-0/+22
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: MIB informationJouni Malinen2018-12-294-1/+108
| | | | | | | Provide MKA information through the wpa_supplicant control interface MIB command. Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: MACsec PSK with bridge interfaceJouni Malinen2018-12-291-0/+108
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* tests: Use more robust way to determine MKA is done for MACsec testingJouni Malinen2018-12-291-13/+47
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Provide more status information over control interfaceJouni Malinen2018-12-291-6/+63
| | | | Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Stop trying to generate and distribute new SAK when not key serverJouni Malinen2018-12-291-2/+3
| | | | | | | | | | | | It was possible for a participant to first be elected as a key server and schedule a new SAK to be generated and distributed just to be followed by another participant being elected as the key server. That did not stop the participant that disabled key server functionality to stop generating the new SAK and then trying to distribute it. That is not correct behavior, so make these steps conditional on the participant still being a key server when going through the timer. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Add more debug print detailsJouni Malinen2018-12-292-121/+263
| | | | | | | This makes it a bit easier to try to figure out what is going on with KaY operations and MKA setup. Signed-off-by: Jouni Malinen <j@w1.fi>
* mka: Fix deleteSAs clearing of principal->new_keyJouni Malinen2018-12-291-2/+7
| | | | | | | | | | | | This pointer needs to be cleared when the matching SAK is being removed from the SAK list. The previous implementation was doing something pretty strange in the loop by clearing the pointer for any non-matching key that happened to be iterated through before finding the matching key. This could probably result in incorrect behavior, but not clearing the pointer for the matching key could do more harm by causing freed memory to be referenced. Signed-off-by: Jouni Malinen <j@w1.fi>