Commit message (Collapse)AuthorAgeFilesLines
* tests: Generate new certificates for Suite B test casesJouni Malinen2016-02-0110-139/+139
| | | | | | | The previous version expired in January. The new ones are from running ec-generate.sh and ec2-generate.sh again. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* VHT: Add an interoperability workaround for 80+80 and 160 MHz channelsJouni Malinen2016-02-011-0/+20
| | | | | | | | | | | | | | | | Number of deployed 80 MHz capable VHT stations that do not support 80+80 and 160 MHz bandwidths seem to misbehave when trying to connect to an AP that advertises 80+80 or 160 MHz channel bandwidth in the VHT Operation element. To avoid such issues with deployed devices, modify the design based on newly proposed IEEE 802.11 standard changes. This allows poorly implemented VHT 80 MHz stations to connect with the AP in 80 MHz mode. 80+80 and 160 MHz capable stations need to support the new workaround mechanism to allow full bandwidth to be used. However, there are more or less no impacted station with 80+80/160 capability deployed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* nl8021: Avoid potential memory leak on error pathPurushottam Kushwaha2016-01-151-2/+3
| | | | | | | The called function nl80211_ht_vht_overrides() was not freeing "msg" resource in error cases. Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>
* tests: Verify that ip_addr_* gets written to config fileJouni Malinen2016-01-151-0/+12
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Allow re-write of ip_addr* configurations to conf file.Purushottam Kushwaha2016-01-151-0/+16
| | | | | | | | | This patch keeps ip_addr* configuration in conf file while updating supplicant conf file either internally by supplicant or due to save_config command. Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com> Signed-off-by: Avichal Agarwal <avichal.a@samsung.com>
* dbus: Restrict DeviceName size to 32 characters in setterPurushottam Kushwaha2016-01-151-1/+2
| | | | | | | The maximum WPS Device Name length is 32 characters and that limit was already enforced for the control interface and configuration files. Signed-off-by: Purushottam Kushwaha <p.kushwaha@samsung.com>
* Sort options and reduce printf calls in wpa_supplicant usage textRoy Marples2016-01-151-22/+22
| | | | Signed-off-by: Roy Marples <roy@marples.name>
* Fix wpa_supplicant build with IEEE8021X_EAPOL=y and CONFIG_NO_WPA=yJouni Malinen2016-01-154-7/+7
| | | | | | | | The PMKSA caching and RSN pre-authentication components were marked as conditional on IEEE8021X_EAPOL. However, the empty wrappers are needed also in a case IEEE8021X_EAPOL is defined with CONFIG_NO_WPA. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Roam between two WPA2-PSK APs and try to hit a disconnection raceJouni Malinen2016-01-151-0/+20
| | | | | | | | | This is a regression test case for hostapd bug where the disconnection/deauthentication TX status callback timeout could be forgotten after new association if no ACK frame was received and the STA managed to reconnect within two seconds. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* AP: Print interface name in more STA eventsJouni Malinen2016-01-152-13/+37
| | | | | | | This makes it easier to follow a debug log from a hostapd process that manages multiple interfaces. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* AP: Fix Deauth/Disassoc TX status timeout handlingJouni Malinen2016-01-154-2/+23
| | | | | | | | | | | | | | | | | The ap_sta_deauth_cb and ap_sta_disassoc_cb eloop timeouts are used to clear a disconnecting STA from the kernel driver if the STA did not ACK the Deauthentication/Disassociation frame from the AP within two seconds. However, it was possible for a STA to not ACK such a frame, e.g., when the disconnection happened due to hostapd pruning old associations from other BSSes and the STA was not on the old channel anymore. If that same STA then started a new authentication/association with the BSS, the two second timeout could trigger during this new association and result in the STA entry getting removed from the kernel. Fix this by canceling these eloop timeouts when receiving an indication of a new authentication or association. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP peer: Use ifdef PCSC_FUNCS to get rid of compiler warningsJouni Malinen2016-01-151-0/+2
| | | | | | | | | clang started warning about the use of || with constants that came from PCSC_FUNCS not being enabled in the build. It seems to be easier to just ifdef this block out completely since that has the same outcome for builds that do not include PC/SC support. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* FST: Get rid of gcc extensions in structure/array initializationJouni Malinen2016-01-153-19/+22
| | | | | | These constructions were causing warnings when build with clang. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* hs20-osu-client: Fix check for osu_nai being availableJouni Malinen2016-01-151-1/+1
| | | | | | | This is an array, so the pointer is never NULL; need to check that the first character is not '\0' instead. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Fix EAP-SAKE error test case coverageJouni Malinen2016-01-151-0/+2
| | | | | | | This was missing the second eap_sake_compute_mic() call in eap_sake_process_confirm(). Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: More EAP-MSCHAPv2 error coverageJouni Malinen2016-01-151-49/+189
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Fix wpas_ctrl_oomJouni Malinen2016-01-151-16/+18
| | | | | | | | The OpenSSL memory allocation changes broke this test case. Fix this by removing the cases that do not get triggered anymore and add a separate wpas_ctrl_error test case to cover the fail_test() versions of errors. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Clean up openssl_digest_vector() to use a single implementationJouni Malinen2016-01-151-31/+17
| | | | | | | | | Use compatibility wrapper functions to allow a single implementation based on the latest OpenSSL API to be used to implement these functions instead of having to maintain two conditional implementation based on the library version. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Clean up crypto_hash_*() to use a single implementationJouni Malinen2016-01-151-46/+20
| | | | | | | | | Use compatibility wrapper functions to allow a single implementation based on the latest OpenSSL API to be used to implement these functions instead of having to maintain two conditional implementation based on the library version. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* LibreSSL: Fix build with LibreSSLJouni Malinen2016-01-152-10/+10
| | | | | | | | | The changes needed for OpenSSL 1.1.0 had broken this since LibreSSL is defining OPENSSL_VERSION_NUMBER in a manner that claims it to be newer than the current OpenSSL version even though it does not support the current OpenSSL API. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-TTLS peer: Fix success after fragmented final Phase 2 messageJouni Malinen2016-01-151-0/+15
| | | | | | | | | | If the final Phase 2 message needed fragmentation, EAP method decision was cleared from UNCOND_SUCC or COND_SUCC to FAIL and that resulted in the authentication failing when the EAP-Success message from the server got rejected. Fix this by restoring the EAP method decision after fragmentation. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Clean up eap_proto_ikev2Jouni Malinen2016-01-151-4/+26
| | | | | | | Use helper variable to indicate end of the test case instead of having to use a fixed length of the loop. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: EAP-IKEv2 with default fragment_sizeJouni Malinen2016-01-151-0/+6
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: More EAP-SIM and EAP-AKA local error coverageJouni Malinen2016-01-141-1/+106
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: fail_test instead of alloc_fail for aes_{encrypt,decrypt}_initJouni Malinen2016-01-143-43/+56
| | | | | | | | This is needed to fix ap_wpa2_eap_psk_oom, ap_wpa2_eap_sim_oom, eap_proto_psk_errors, and ap_ft_oom with the new OpenSSL dynamic memory allocation design. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: aes_encrypt_init() and aes_decrypt_init() to use TEST_FAILJouni Malinen2016-01-141-0/+6
| | | | | | | | | Now the these functions cannot be made to fail by forcing the memory allocation fail since the OpenSSL-internal version is used, add TEST_FAIL check to allow OOM test cases to be converted to use the TEST_FAIL mechanism without reducing coverage. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Use EVP_CIPHER_CTX_new() to work with OpenSSL 1.1.0Jouni Malinen2016-01-141-63/+72
| | | | | | | | | The EVP_CIPHER_CTX structure will be made opaque in OpenSSL 1.1.0, so need to use EVP_CIPHER_CTX_new() with it instead of stack memory. The design here moves the older OpenSSL versions to use that dynamic allocation design as well to minimize maintenance effort. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Update session_secret callback to match OpenSSL 1.1.0 APIJouni Malinen2016-01-141-1/+1
| | | | | | | | The SSL_CIPHER **cipher argument was marked const in OpenSSL 1.1.0 pre-release 2 similarly to how this is in BoringSSL. Fix build with that in preparation for supporting OpenSSL 1.1.0. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Additional EAP-pwd error case coverageJouni Malinen2016-01-141-11/+42
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP server: Simplify EAP method registration callJouni Malinen2016-01-1322-122/+33
| | | | | | | | | Free the allocated structure in error cases to remove need for each EAP method to handle the error cases separately. Each registration function can simply do "return eap_server_method_register(eap);" in the end of the function. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP peer: Simplify EAP method registration callJouni Malinen2016-01-1323-127/+36
| | | | | | | | | Free the allocated structure in error cases to remove need for each EAP method to handle the error cases separately. Each registration function can simply do "return eap_peer_method_register(eap);" in the end of the function. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* EAP-WSC peer: Remove unused state valuesJouni Malinen2016-01-131-5/+1
| | | | | | The FRAG_ACK and DONE state were not used at all, so remove them. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: WPS and EAP-WSC in network profileJouni Malinen2016-01-132-0/+116
| | | | | | | This goes through some error paths that do not really show up in real WPS use cases. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Fix ERP anonymous_identity test casesJouni Malinen2016-01-132-1/+17
| | | | | | | These need to be run without realm in the identity value to allow the realm from the anonymous_identity to be used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: EAP-WSC protocol testsJouni Malinen2016-01-131-0/+179
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: Renew the expired OCSP responder certificateJouni Malinen2016-01-121-18/+18
| | | | | | This certificate expired and that makes couple of test cases fail. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: EAP protocol tests for canned EAP-Success after identityJouni Malinen2016-01-121-0/+54
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: ERP and local error casesJouni Malinen2016-01-121-1/+79
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: ERP and anonymous identityJouni Malinen2016-01-121-1/+72
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* bsd: Optimize socket useRoy Marples2016-01-121-89/+129
| | | | | | | | Create global init to handle socket calls and route messages. Register each interface inside the global driver so that routing messages can find the interface based on rtm_ifindex. Signed-off-by: Roy Marples <roy@marples.name>
* nl80211: Report disassociated STA / lost peer for the correct BSSRafał Miłecki2016-01-121-3/+4
| | | | | | | | | | | | | | | | | | | | | We shouldn't use drv->ctx as it always points to the first BSS. When using FullMAC driver with multi-BSS support it resulted in incorrect treating nl80211 events. I noticed with with brcmfmac and BCM43602. Before my change I was getting "disassociated" on a wrong interface: wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: associated wlan0-1: STA 78:d6:f0:00:11:22 WPA: pairwise key handshake completed (RSN) wlan0: STA 78:d6:f0:00:11:22 IEEE 802.11: disassociated With this patch it works as expected: wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: associated wlan0-1: STA 78:d6:f0:00:11:22 WPA: pairwise key handshake completed (RSN) wlan0-1: STA 78:d6:f0:00:11:22 IEEE 802.11: disassociated This doesn't apply to hostapd dealing with SoftMAC drivers when handling AP SME & MLME is done it hostapd not the firmware. Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
* Drop OpenSSL 0.9.8 patches to add EAP-FAST supportJouni Malinen2016-01-123-798/+3
| | | | | | | | | The OpenSSL project will not support version 0.9.8 anymore. As there won't be even security fixes for this branch, it is not really safe to continue using 0.9.8 and we might as well drop the EAP-FAST patches for it. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: EAP-SIM/AKA with external GSM/UMTS auth failingJouni Malinen2016-01-081-0/+84
| | | | Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* tests: EAP-SIM with external GSM auth and replacing SIMJouni Malinen2016-01-082-0/+210
| | | | | | | | | | These test cases verify that EAP-SIM with external GSM auth supports the use case of replacing the SIM. The first test case does this incorrectly by not clearing the pseudonym identity (anonymous_identity in the network profile) while the second one clears that and shows successful connection. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* OpenSSL: Fix client certificate chain building after PKCS#12 useJouni Malinen2016-01-071-0/+11
| | | | | | | | | | | | | | | | | | | | If wpa_supplicant was first configured with PKCS #12 -based client certificate chain and then used with another network profile that used a different certificate chain from a X.509 certificate PEM file instead of PKCS#12, the extra certificate chain was not reconstructed properly with older versions of OpenSSL that 1.0.2. This could result in the authentication failing due to the client certificate chain not being complete or including incorrect certificates. Fix this by clearing the extra certificate chain when setting up a new TLS connection with OpenSSL 1.0.1. This allows OpenSSL to build the chain using the default mechanism in case the new TLS exchange does not use PKCS#12. The following hwsim test case sequence was able to find the issue: ap_wpa2_eap_tls_pkcs12 ap_wpa2_eap_tls_intermediate_ca_ocsp Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* ACS: Remove unreachable case from a debug printJouni Malinen2016-01-071-2/+1
| | | | | | | | n_chans can have only values 1, 2, or 4 in this function, so the -1 case could never be reached. Remove the unreachable case to get rid of static analyzer warnings. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* Remove a pointer check that can never be trueJouni Malinen2016-01-071-2/+0
| | | | | | | | | chan is set to the result of pointer arithmetic (pointer to an entry in an array) that can never be NULL. As such, there is no need to check for it to be non-NULL before deference. Remove this check to avoid complaints from static analyzers. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* ACS: Be more consistent with iface->current_mode checksJouni Malinen2016-01-071-0/+3
| | | | | | | | | | | | | | | | | Offloading of ACS to the driver changed the design a bit in a way that iface->current_mode could actually be NULL when the offloaded ACS mechanism supports band selection in addition to channel selection. This resulted in a combination that is too complex for static analyzers to notice. While acs_init() can be called with iface->current_mode == NULL that is only in the case where WPA_DRIVER_FLAGS_ACS_OFFLOAD is in use. In other words, the actual ACS functions like acs_cleanup() that would dereference iface->current_mode are not used in such a case. Get rid of static analyzer warnings by explicitly checking iface->current_mode in acs_init() for the case where ACS offloading is not used. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* P2P: Print find_start in debug log when ignoring old scan resultsJouni Malinen2016-01-071-2/+4
| | | | | | | | | This makes it easier to debug issues with old scan results being ignored during P2P_FIND. A single rx_time would have been fine with os_gettime(), but with os_get_reltime(), both rx_time and find_start values are needed. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
* l2_packet: Extend bridge workaround RX processing to cover two framesJouni Malinen2016-01-071-1/+17
| | | | | | | | | | | | | | | | | | | | | There was a race condition in how the l2_packet sockets got read that could result in the same socket (e.g., non-bridge) to process both the EAP-Success and the immediately following EAPOL-Key msg 1/4 instead of each frame going in alternative order between the bridge and non-bridge sockets. This could be hit, e.g., if the wpa_supplicant process did not have enough CPU to process all the incoming frames without them getting buffered and both sockets reporting frames simultaneously. This resulted in the duplicated EAP-Success frame getting delivered twice for processing and likely also the EAPOL-Key msg 1/4 getting processed twice. While the latter does not do much harm, the former did clear the EAP authentication state and could result in issues. Fix this by extended the l2_packet Linux packet socket workaround for bridge to check for duplicates against the last two received frames instead of just the last one. Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>