Move the cancelling of the eapol timeout from the end of step 1 to
step 3 to guard the whole handshake. At the end of step 1 stop the
EAPOL-Start timeout for the case of 802.1X authentication + a cached
PMKSA (not used yet.)
Some APs respond to Neighbor Report Requests with neighbor reports that
have a zero operating class value and a non-zero channel number. This
does not mean that the channel is in the same band that the reporting
AP operates in. Try to guess the band that the channel refers to out of
2.4 and 5GHz -- the bands supported by those APs.
wpa_supplicant also has this workaround in place.
There was an unnecessary l_strsplit call when parsing the verbose
options for test-runner. The verbose options get parsed inside
qemu already, so this call was removed.
Can now pass -V, --valgrind to test-runner to run valgrind on
iwd during autotests. Note: the verbose option for iwd must
also be passed in order to see output (-v iwd).
SA Query procedure is used when an unprotected disassociate frame
is received (with frame protection enabled). There are two code
paths that can occur when this disassociate frame is received:
1. Send out SA Query and receive a response from the AP within a
timeout. This means that the disassociate frame was not sent
from the AP and can be ignored.
2. Send out SA Query and receive no response. In this case it is
assumed that the AP went down ungracefully and is now back up.
Since frame protection is enabled, you must re-associate with
the AP.
Two autotests:
1. Tests SA Query procedure when the AP goes down. In this case the AP
goes down ungracefully, now allowing it to send out any deauth
frames. When the AP comes back up, IWD still thinks its connected.
The AP will then send unprotected disassociate frames so the client
can re-connect. This kicks off the SA Query procedure, which the AP
will not respond to. At this point we can deauth and reconnect to
the AP.
2. Test SA Query procedure when a disassociate frame has been spoofed.
In this case we receive an unprotected disassociate frame and start
SA Query. The AP should then respond to the SA query within the
timeout. We then know the frame was spoofed and can remain
connected.
Changed disassociate reason to 0x07 when spoofing a disassociate
frame. This along with 0x06 are the only two reason codes that
should be accepted in an unprotected disassociate frame.
Using the hwsim dbus interface ".Interface" under the radios
object you can now send an arbitrary frame out from that radio.
Two methods have been added, spoof_frame and spoof_disassociate.
The hwsim SendFrame method requires the radio frequency which
is obtained from the hostapd config file. This adds a generic
API to get any config value from the hostapd config, as well
as a get_freq API that converts the channel number to a
frequency.
Added a new method SendFrame() under the radios .Interface
interface. This method takes two byte arrays as parameters,
first is the station address to send the frame to, and the
second is the raw frame data.
For testing SA Query, the autotest needs the ablility to force
kill (and restart) hostapd without giving it time to deauth its
stations gracefully. A method was added to the HostapdCLI class
which does a killall -9 hostapd, resets the wlnX interface,
and restarts hostapd with the same arguments as it had before.
The following verbose options can be used:
"unit" - see output from unit tests
"kernel" - see hwsim kernel prints
"pytests" - see prints from python autotests
Tim Kourt