Commit graph

9805 commits

Author SHA1 Message Date
Aditya Kumar Singh
e9984e3db2 hostapd: Refactor interface enable/disable into separate helper functions
Driver events for interface enable/disable are currently handled on
interface level with one hostapd_data instance under consideration. In
order to extend it for MLO, this needs to be done for each of the
affiliated links. Hence, refactor the code into a helper function which
can be used later.

No functionality change. Support for MLO will be added in a subsequent
change.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-09 09:36:02 +03:00
Veerendranath Jakkam
8324947a67 RSNO: Add debug prints for RSN override elements in EAPOL frames
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-08-08 22:39:39 +03:00
Aditya Kumar Singh
e33a55d31d nl80211: Sanitize link ID in mlme_event_ch_switch() for AP interface
During channel switch handling for AP MLD, if link ID is incorrect,
there is no point in proceeding till end and failing or returning from
there. Hence sanitize it in the initial time itself and return if it is
incorrect. Throw a warning print if it is not correct as well.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-08 22:18:49 +03:00
Aditya Kumar Singh
de2ee083e7 nl80211: Add ifname and link ID debug prints in mlme_event_ch_switch()
This makes it easier to debug AP MLD behavior.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-08 22:18:49 +03:00
Aloka Dixit
bd8a1f5ff5 hostapd: Enable HE when EHT is set for channel switch
Channel switch operation fails if 'eht' option is given without 'he'
as hostapd_config_check() returns following error:
"Cannot set ieee80211be without ieee80211ax"

The issue is seen only when switching within/to DFS channels because
hostapd_switch_channel_fallback() does not set 'ieee80211ax' in
hostapd configuration unless 'he_enabled' is set for the new channel.

Set 'he_enabled' in struct hostapd_freq_params for channel switch
when EHT is enabled.

Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
2024-08-08 22:18:47 +03:00
Aditya Kumar Singh
c6faa89366 AP MLD: Use the cached per STA profile instead of forming a new one
Now that per STA profile is cached already, there is no need to form it
dynamically on every Probe Request frame.

Use the cached one instead.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-07 18:58:47 +03:00
Arunpandi Kannan
74db2b7449 AP MLD: Handle Vendor Specific element inheritance in per STA profile
As per IEEE P802.11be/D7.0, 35.3.3.5.1 (Inheritance in the Per-STA
Profile subelement of Basic Multi-Link element), Note 1, if there exists
one or more Vendor Specific elements carried in a Management frame that
includes the Basic Multi-Link element containing a per-STA profile for a
reported STA, and the contents of the Information field for at least one
of the Vendor Specific elements is not the same as that of at least one
Vendor Specific element that applies to the reported STA, then each
Vendor Specific element that applies to the reported STA is included in
its Per-STA Profile subelement.

Handle this.

Signed-off-by: Arunpandi Kannan <quic_arunpand@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-07 18:58:32 +03:00
Sriram R
023d70d6ca AP MLD: Add non-inheritance support for per STA profile reporting
There can be an element in the reporting BSS which is not there in the
reported BSS. This element should not be inherited in the per STA
profile. Hence to indicate this, the corresponding per STA profile
should include a Non-Inheritance element in the per STA profile.

Include Non-Inheritance element in the per STA profiles when needed.

Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-07 18:58:08 +03:00
Sriram R
b5359d01ed AP MLD: Intersect per STA profile with the reporting BSS
If an element is present in the reporting BSS and it is also present in
the reported BSS and the contents are same, ideally, the reported BSS
need not carry such element in its per STA profile. Such elements are
assumed to be inherited from the reporting BSS.

Intersect the reported BSS profile with the reporting BSS and avoid such
element inclusion.

Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-07 18:57:42 +03:00
Sriram R
abe990afb9 AP MLD: Ignore elements which are not meant to be included in per STA profile
There are certain elements which should not be included in a per STA
profile.

Ignore such elements.

Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-07 18:57:35 +03:00
Sriram R
2042cae9b3 AP MLD: Generate and keep per STA profiles for each link
Currently, upon receiving a Probe Request frame, per STA profile is
generated and added to the Probe Response frame. However, the per STA
profile remains unchanged unless there’s a property change in one of the
affliated link of the AP MLD. This approach introduces unnecessary delay
in forming and sending out the Probe Response frame.

To optimize this process, generate the per STA profile for each link at
the start and store it. When needed, it can be simply copied into the
Probe Response frame. Additionally, whenever there’s a change in the
link’s properties, re-generate the per STA profiles for all affiliated
links of the AP MLD.

As an initial step, copy the complete per STA profile and store it
within the links. The intersection with reporting BSS and inheritance
will be addressed in a subsequent change. Then finally, this will be
used to generate the Probe Response frame. As of this commit, no change
in adding per STA profiles in the Probe Response frame.

Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Co-developed-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-07 18:57:09 +03:00
Sriram R
8f07e9699b Move mld_link_info structure to hostapd.h header file
At present, the mld_link_info structure is nested within the mld_info
structure. However, a future modification will require mld_link_info to
be outside of mld_info. To address this, move the mld_link_info
structure to hostapd.h so that it can be accessed both in the current
context and in the location needed for the upcoming change.

No functional changes.

Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-07 18:57:04 +03:00
Amith A
5cb6747f97 Add support to switch channel when CAC is in progress
Prior to initiating communication on a DFS channel, channel availability
check needs to be performed. During this period, the AP does not beacon.
Hence, no channel switch was allowed during this period. However, if a
user wishes to switch to a non-DFS channel during the potentially long
CAC period and start transmission immediately, there is no provision to
do that currently.

Extend the existing CHAN_SWITCH control interface command to allow
channel switch even when the AP is in CAC state. To do this, first
disable the interface to abort the CAC in progress and then configure
the interface with the new parameters and finally re-enable the
interface.

Signed-off-by: Amith A <quic_amitajit@quicinc.com>
2024-08-07 11:37:00 +03:00
Rameshkumar Sundaram
b7f08c28cd WNM: Fix potential NULL pointer dereference during assoc response handling
In the send_assoc_resp() function, there’s a chance that the sta
argument could be NULL. Therefore, it’s crucial not to directly
dereference sta without first checking whether it’s a valid pointer.
However, commit 58ac46baf7 (“WNM: AP configuration to allow BSS max
idle period requests”) introduces direct dereferencing of max idle
period from sta, which might lead to a NULL pointer dereference. Fix
this now.

Fixes: 58ac46baf7 ("WNM: AP configuration to allow BSS max idle period requests")
Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-07 11:34:07 +03:00
Karthik M
c7e704bdf9 hostapd: Add Bandwidth Indication subelement support for channel switch
The Bandwidth Indication subelement contains channel bandwidth, channel
center frequency, and optionally punctured subchannels.

As per IEEE P802.11be/D7.0, 35.15.3 (Channel switching methods for an
EHT BSS), if a Channel Switch Announcement element or an Extended
Channel Switch Announcement element is used to announce a switch to an
EHT BSS operating channel width wider than 160 MHz or to an EHT BSS
operating channel width including at least one punctured 20 MHz
subchannel, the Bandwidth Indication subelement in the Channel Switch
Wrapper element shall be present in the same frame.

Hence, add it into the Beacon and Probe Response frames under the above
mentioned conditions.

Signed-off-by: Karthik M <quic_karm@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-06 23:15:58 +03:00
Karthik M
c9d0c6fd7e hostapd: Refactor Channel Switch Wrapper element generation
The Wide Bandwidth Channel Switch subelement was directly appended in
the Channel Switch Wrapper element function
hostapd_eid_wb_chsw_wrapper(). However, a subsequent change would add
Bandwidth Indication subelement in the Channel Switch Wrapper element.
Hence using the same function name would be confusing.

Hence, refactor the current code into two functions. The first function
hostapd_eid_chsw_wrapper() forms the channel switch wrapper element.
This calls hostapd_eid_wb_channel_switch() to add a Wide Bandwidth
Channel Switch subelement inside it.

No functionality change.

Signed-off-by: Karthik M <quic_karm@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-06 22:52:19 +03:00
Manish Dharanenthiran
b592c1586e nl80211: Handle nl80211_cqm_event per BSS
During MLO, an nl80211_cqm_event may be received by any BSS. Directing
this event to the first BSS may not be suitable as it might not
correspond to the link the event is meant for. Hence, there is a need to
handle this on per-BSS basis.

Therefore, handle nl80211_cqm_event per BSS. The event handler further
uses the address information present in the event to fetch the intended
link BSS if no matching STA entry was found based on the initial
ap_get_sta() call.

Signed-off-by: Manish Dharanenthiran <quic_mdharane@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-06 20:17:47 +03:00
Manish Dharanenthiran
89c31feb31 Relocate the declaration of the hostapd_find_by_sta() function to top
The hostapd_find_by_sta() function may be utilized by multiple driver
events. Therefore, it should be declared at the outset to ensure
accessibility by all event handlers.

No functional changes.

Signed-off-by: Manish Dharanenthiran <quic_mdharane@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-06 20:17:47 +03:00
Aditya Kumar Singh
83c4adcdac hostapd: Add Max Channel Switch Time element support
The Max Channel Switch Time element indicates the time delta between the
time the last beacon is transmitted by the AP in the current channel and
the expected time of the first Beacon frame transmitted by the AP in the
new channel.

IEEE P802.11be/D7.0, 35.3.11 (ML procedures for (extended) channel
switching and channel quieting) indicates that if an AP affiliated with
an AP MLD is switching channel, Max Channel Switch Time element shall be
included in every Beacon and Probe Response frame it transmits.

Add support to include the Max Channel Switch Time element in Beacon and
Probe Response frames during channel switch announcement for an AP
affiliated with an AP MLD.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-06 18:34:34 +03:00
Aditya Kumar Singh
9f334fe683 Share usec-to/from-TU conversion macros in a general location
These can be used outside the context of FST and hostapd.c, so move the
macro definitions into a shared header file. In addition, fix the
currently unused US_TO_TU() definition and rename "US" to "USEC".

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-06 18:05:18 +03:00
Sidhanta Sahu
69deac87fb AP MLD: Ensure successful addition of link item into list
Currently, hapd->link is added to the MLD links list during driver
initialization and setup BSS operation. However, a call trace has been
observed where a BSS link item is not present in the list and an attempt
is made to delete it from the list. This scenario occurs during the
deinitialization operation, which calls hostapd_bss_link_deinit() and
tries to remove the hapd->link which is not present in the list.

Ensures that the link item is added to the list only after the
successful operation of link addition. Also ensure that mld->num_links
increments only when the addition is successful. Therefore, return from
hostapd_bss_link_deinit(), if mld->num_links is zero. Since the mld
object is shared among all the links, num_links has to be incremented
only when the addition is successful.

Call trace:
        dl_list_del.lto_priv.9.lto_priv ()
        hostapd_bss_link_deinit.lto_priv ()
        hostapd_bss_deinit ()
        hostapd_interface_deinit ()
        hostapd_interface_deinit_free ()
        hostapd_main ()

Signed-off-by: Sidhanta Sahu <quic_sidhanta@quicinc.com>
2024-08-06 00:29:00 +03:00
Veerendranath Jakkam
ca58be3da4 SAE: Add group 20 in default groups when AP started with SAE-EXT-KEY
hostapd used to always enable only the group 19 when SAE groups were not
configured explicitly in hostapd.conf. This may cause undesired
connection delay with STAs which use group 20 as the primary group with
SAE-EXT-KEY AKM during SAE authentication attempt.

To avoid this, enable group 20 in default groups when AP supports
SAE-EXT-KEY and SAE groups have not been configured explicitly in
hostapd.conf.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-08-06 00:06:22 +03:00
Aditya Kumar Singh
666d695bbd nl80211: Fix simultaneous scanning failure in case of MLO
Currently only one scan can be performed on per phy level at a time in
the driver. Due to this, if another scan request is sent via anoother
underlying phy, the kernel returns -EBUSY. This would result in hostapd
trying to set the interface into station mode if it was originally in AP
mode and retry sending a scan request. However, this behavior is
expected in case of multi link operation and hence there is no need to
switch the mode as such.

Hence, add logic to not change the NL mode if the kernel returns -EBUSY
during multi link AP operation. The caller can accordingly decide and,
if needed, it can re-schedule a scan request after some time.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-05 20:34:12 +03:00
Aditya Kumar Singh
fd55dfe16e nl80211: Fix scan request and its related events handling with MLO
Currently, whenever a scan is started, it uses drv's first BSS only
whether it is AP or STA interface. However, with AP MLD related changes,
the same drv could be used by other BSSs as well which needs scanning.
Hence, the current logic will not work since scan needs to be handled on
a non-first BSS as well.

Move the logic of always using drv's first BSS during scan events to
using BSS on which the event arrived.

Also, for AP MLD operation, even though the BSS is same, the link BSS
also needs to be identified. Hence, add a back pointer in the BSS struct
which would be used to point to the link BSS which requested the scan on
that BSS. This will help in routing the scan events to an appropriate
BSS ctx.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-08-05 20:34:12 +03:00
Gal Savion
23456e480e Avoid sending DEAUTH or DISASSOC packet when using flag tx=0
hostapd would send DISASSOC packet (after quiet DEAUTH) or DEAUTH packet
(after quiet DISASSOC) to the station after some inactivity timeout,
even though the command has tx=0 parameter. Fix this so that tx=0 cleans
the STA info without sending any DISASSOC or DEAUTH packets.

Signed-off-by: Gal Savion <gsavion@maxlinear.com>
2024-08-03 20:25:20 +03:00
Benjamin Berg
619ff3d2e8 build: Add simple compile_commands.json generation
This can be used with a clangd server to get code completion and cross
references in editor. To simplify the generation, create .cmd files for
most object files while building that contains the base directory and
command that was used when compiling it.

A very simple gen_compile_commands.py is provided which will read one or
more build directories and generate the compile_commands.json file for
it.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-03 20:16:18 +03:00
Purushottam Kushwaha
bb96540ef5 Add QCA vendor attribute to skip recently scanned channels
Add a new vendor attribute
QCA_WLAN_VENDOR_ATTR_SCAN_SKIP_CHANNEL_RECENCY_PERIOD for sub command
QCA_NL80211_VENDOR_SUBCMD_TRIGGER_SCAN to skip the recently scanned
channels within specified time (in ms), thus reducing the number of
channels for requested scan.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2024-08-01 20:16:50 +03:00
Johannes Berg
1e54160515 hostapd: Fix BSS parameters change count on link removal
The value currently is simply incremented, but it must not
reach 255 and rather wrap around from 254 to 0, since in
the Reduced Neighbor Report 255 means unknown. Fix that.

Fixes: d95838b793 ("AP: Add support for testing ML link removal")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2024-08-01 17:30:12 +03:00
Diya Sati
21c3a7494c Add Link ID attribute for external ACS vendor command
The Link Id attribute is required for
qca_wlan_vendor_attr_external_acs_event to identify the link on which
the command is received for an AP MLD.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-08-01 10:38:24 +03:00
Shiva Sankar Gajula
5942965955 Add link ID attribute to ADD_STA_NODE QCA vendor command for AP MLD
Add QCA_WLAN_VENDOR_ATTR_ADD_STA_NODE_LINKID attribute to the
ADD_STA_NODE command to identify a specific link affiliated to an AP
MLD.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-08-01 10:37:10 +03:00
Purushottam Kushwaha
e1ab680c98 Add QCA vendor subcommand to request audio transport switch
Add a new sub command QCA_NL80211_VENDOR_SUBCMD_AUDIO_TRANSPORT_SWITCH
to request the audio data transport switch in both the command and event
path. This is used when two or more audio data transports are available
between peers.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2024-08-01 10:32:00 +03:00
Vinay Gannevaram
7e0e69cfea SAE: Send external auth status after sending Authentication frame
The driver might delete the STA node details on receiving external auth
status. In SAE authentication failure case on the AP, an Authentication
frame with a failure status is sent to the driver after sending the
external auth status. Authentication frame transmission didn't have a
dependency with STA node details earlier, but with MLO, Authentication
frames should be transmitted using the link address for a given MLD MAC
address by the supplicant. Since MLD to link address translation is done
by the driver, the STA node details are required to transmit the
Authentication frame. Hence, send external auth status to the driver
after sending the Authentication frame.

SAE external auth was introduced in commit 4ffb0fefe4 ("hostapd:
Support external authentication offload in AP mode"), which requires the
change in order of sending Authentication frame and auth status in case
of failure when using MLO.

Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
2024-07-31 18:28:39 +03:00
Jouni Malinen
be6e4279fa RSNO: Verify all RSNE/RSNXE variants in multi-link cases
Use the RSN Override Link KDE to include the override variants of the
RSNE/RSNXE for each link so that all variants are verifies when
processing the protected EAPOL-Key message 3/4.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 19:56:00 +03:00
Jouni Malinen
521374b978 RSNO: Include all RSNE/RSNXE variants in EAPOL-Key message 3/4
This allows all variants to be verified based on a protected frame to
achieve robust downgrade protection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 18:52:15 +03:00
Jouni Malinen
6f522baa1b RSNO: Use SNonce cookie to indicate support for RSN overriding
This provides an implicitly protected (SNonce is used as an input to PTK
derivation) mechanism for a STA to indicate support for RSN overriding
in a manner that does not cause interopability issues with deployed APs.

In addition, update sm->SNonce on the Authenticator only based on
message 2/4 since that is the only EAPOL-Key message that is defined to
provide the actual SNonce value. While clearing of this internal buffer
on message 4/4 might not cause issues, it is better to keep the actual
SNonce value here since the SNonce cookie can be used at a later point
in the sequence.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 12:16:05 +03:00
Jouni Malinen
62ca121f96 RSNO: Use the RSN Selection element to indicate which variant was used
This replaces the use of the RSNE Override and RSNE Override 2 elements
with empty payload to indicate which RSNE variant was used.

In addition, this adds stricter validation of the RSNE in
(Re)Association Request frame to allow only the pairwise cipher suites
and AKMs listed in the indicated RSNE variant to be used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 12:16:05 +03:00
Jouni Malinen
524c452153 RSNO: Remove unused override element generation
The separate RSNOE/RSNO2E/RSNXOE buffers were not actually used on the
Authenticator, so remove them.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 12:16:05 +03:00
Chenming Huang
13648dde91 FILS: Check for potential NULL return
hostapd_eid_assoc_fils_session() might return NULL if memory allocation
fails. This NULL value then will be used for invalid calculation and
cause unspecified behavior or be dereferenced unexpectedly. Avoid this
with an explicit check of the returned pointer.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-07-25 21:03:59 +00:00
Adil Saeed Musthafa
376adfea8d RSNO: Protect wpa_ie_buf3 from reuse explicitly
Use else-if check for better clarity regarding usage of wpa_ie_buf3 to
make it explicit that memory is allocated for this pointer only once.

Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
2024-07-25 21:03:51 +00:00
Jouni Malinen
4adf234cd3 RSNO: Remove override elements from EAPOL-Key msg 3/4
This was not done in case the STA did not use RSN overriding.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-25 19:22:00 +00:00
Jouni Malinen
296104d35c Testing functionality to allow EAPOL-Key Reserved field to be set
The new hostapd configuration parameter eapol_key_reserved_random=1 can
be used for testing STA/Supplicant functionality to accept a random
value in the Reserved field within EAPOL-Key frames.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-24 17:22:42 +00:00
Jouni Malinen
2e4c612dd2 Allow RSNE/RSNXE/RSNOE/RSNO2E/RSNXOE to be replace for testing
This is convenient for testing STA behavior with various RSN element
combinations and special cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-24 01:01:29 +00:00
Jouni Malinen
bb61f6cb95 RSNO: Support over two octets of RSNXOE capabilities
The RSNXE generation function was extended to support this earlier, but
that update was missed from the RSNXOE variant.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-23 21:36:46 +00:00
Jouni Malinen
8b2ddfdbb6 RSNO: Allow RSNXE to be omitted
Add an explicit rsn_override_omit_rsnxe=1 configuration parameter to
allow the RSNXE to be omitted when using the RSNXOE and wanting to
minimize interoperability issues with STAs that might recognize the
RSNXE, but not handle it correctly, e.g., when multiple octets of
payload is included.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-23 21:20:45 +00:00
Vinay Gannevaram
4417b5ba86 Add QCA vendor interface to support Unsynchronized Service Discovery
Add a new QCA command QCA_NL80211_VENDOR_SUBCMD_USD and related
attributes to support Unsynchronized Service Discovery (USD).

Device in active subscriber role sends SDF frames with service
information to find devices that advertise or publish the required
services. Device address, operation type, instance id, service_id,
channel info, service specific info, element container attribute, and
timeout are sent to the driver to initiate USD publish or USD subscribe
operation. The driver sends QCA_NL80211_VENDOR_SUBCMD_USD event with
instance_id and the USD operation status. QCA_NL80211_VENDOR_SUBCMD_USD
is also used to update publish operation and to cancel the publish or
subscribe operation for a service. It also allows all the operations to
be terminated using the USD flush command.

Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
2024-07-20 21:00:21 +00:00
Jouni Malinen
765c48d5ad RSNE/RSNXE overriding for STA
Add support for RSNE/RSNXE Override elements. Use these elements to
determine AP's extended RSN parameters.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
d0b55eb360 Make driver capabilities for AKM suites available within wpa_supplicant
In addition, add some of the previously missed AKM suites from the
default capabilities.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Veerendranath Jakkam
341bcb2b5c nl80211: Add a capability flag for RSN overriding
Add a new capability flag based on the nl80211 feature advertisement for
RSN overriding support.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-20 21:28:28 +03:00
Veerendranath Jakkam
6fad7224be Add QCA vendor feature flags to indicate RSN override elements support
Add a separate feature flag for STA mode to indicate support for RSN
override elements.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
157b016383 RSNE/RSNXE overriding for AP
Allow hostapd to be configured to advertised two separate sets of
RSNE/RSNXE parameters so that RSNE/RSNXE can use a reduced set of
capabilities (e.g., WPA2-Personal only) for supporting deployed STAs
that have issues with transition modes while the new override elements
can use a newer security option (e.g., WPA3-Personal only) for STAs that
support the new mechanism.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
b8a2d11ae0 Allow RSNXE Override element to override RSNXE contents during parsing
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
48ca68f6f8 Allow RSNE Override element to override RSNE contents during parsing
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
c16ac89be2 Add RSN overriding elements into IE parsing
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
6b0ce29d25 Define WFA vendor specific element types for RSNE/RSNXE overriding
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
e99cdfae41 The main branch is now used for v2.12 development
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-20 21:16:55 +03:00
Jouni Malinen
d945ddd368 Preparations for v2.11 release
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.10 and v2.11. Update the copyright years for the main
programs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-20 21:04:37 +03:00
Sunil Ravi
ed5887a8c9 Move NULL check for driver private data (drv_priv)
In the hostapd_cleanup_driver() function, the NULL check for the driver
private data (drv_priv) is located within the CONFIG_IEEE80211BE feature
flag. As a result, on platforms where CONFIG_IEEE80211BE is not defined,
driver->hapd_deinit(drv_priv) is called with drv_priv set to NULL. This
leads to a null pointer exception in wpa_driver_nl80211_deinit().

To address this issue, move the NULL check for drv_priv outside the
CONFIG_IEEE80211BE build flag. This ensures that the check is performed
regardless of the value of CONFIG_IEEE80211BE, preventing the NULL
pointer exception.

Fixes: df34c2ced3 ("AP MLD: De-initialize/disable link BSS properly")
Signed-off-by: Sunil Ravi <sunilravi@google.com>
2024-07-20 20:14:08 +03:00
Veerendranath Jakkam
c3d305d939 FT: Fix FTE MIC calculation with fragmented FTE
Currently wpa_ft_parse_ies() is setting FTE information to wpa_buf
pointer data which is generated after defragmentation. This data will
not contain FTE and Fragment element(s) headers.

IEEE P802.11be/D5.0 describes the MIC to be calculated on the
concatenation of FTE and corresponding Fragment element(s) which
implies the element headers are included for each element in the
fragmented case.

Fix this by correctly populating FTE information when FTE is
fragmented.

Fixes: 43b5f11d9 ("Defragmentation of FTE")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-15 10:51:44 -04:00
marek@mazekey.pl
816e22bba1 hostapd: Fix opclass during CSA with DFS channels
During CSA with DFS channels, disable, enable interface is a part of the
algorithm. When interface was enabled old operating class before switch
and new channel were used causing mismatch in
configured_fixed_chan_to_freq() function.

Example of log when switch from channel 157 to 108 was triggered:
"Could not convert op_class 124 channel 108 to operating frequency"

Fixes: bb781c763 ("AP: Populate iface->freq before starting AP")
Signed-off-by: Marek Kwaczynski <marek@mazekey.pl>
2024-07-13 18:09:32 +03:00
gasmibal@gmail.com
93a3c59ad9 Multi-AP: Honor wds_sta even with multi_ap
When multi_ap is active, hostapd creates an AP-VLAN interface for 4addr
stations, even though wds_sta is not configured.

A check should be added to determine if wds_sta is active before
re-enabling the WDS mode by creating an AP-VLAN for 4addr stations.

Signed-off-by: Baligh Gasmi <gasmibal@gmail.com>
2024-07-13 18:09:32 +03:00
Jouni Malinen
7d51bf2abd SAE: Drop default dot11RSNASAESync value from 5 to 3
Going through five extra rounds of SAE commit messages in cases where
SAE peers are somehow unsynchronized feels unnecessary much to do by
default, so drop the default value to 3.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-13 16:37:15 +03:00
Jouni Malinen
5da59ff1cd SAE: Disable protocol instance temporarily on sync error in mesh
Reduce the number of unwanted SAE commit retries in synchronization
error cases when Sync > dot11RSNASAESync in mesh cases by discarding
received SAE commit messages for 10 seconds after a sync error has been
detected.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-13 16:35:12 +03:00
Nicolas Escande
7b8517d197 nl80211: Fix AP scan with STA fallback error path
I've run into a case where I can bring a 2.4 GHz AP up without it being
in a bridge while I used the 'bridge=' config option. This happens when
the HT scan needed for 40 MHz operation failed to start from the get go
because another dev on the same phy was already in a scan. At the end
the AP is up and running but not added into any bridge.

Upon looking at the code, it seems that some hardware fails to issue a
scan while in AP and thus we have a fallback that switches the interface
from AP to STA before retrying another scan (it will change it back to
AP later on when finished). As we cannot have a (non-WDS) STA in a
bridge, during that procedure, we also remove/add the AP/STA from/to the
bridge as needed.

However, in wpa_driver_nl80211_scan() we do not set
drv->ap_scan_as_station until the end of the switch-to-sta &
retry-scan-start block. This means that when the recursive call to
wpa_driver_nl80211_scan() fails (the hardware is busy in my case) we
restore the interface to AP with wpa_driver_nl80211_set_mode() but that
will not add it back to the bridge. Problem.

To fix this lets always set drv->ap_scan_as_station before calling
wpa_driver_nl80211_set_mode(). In case wpa_driver_nl80211_set_mode() or
wpa_driver_nl80211_scan() fails lets call nl80211_restore_ap_mode() that
will set the mode back to AP but also handle the bridge thing as needed.

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2024-07-12 16:44:30 +03:00
Chien Wong
6ad59779c2 nl80211: NAN: Register multicast action frames if possible
The USD passive subscriber and solicited transmission only publisher
require receiving multicast NAN action frames in order to work.
Currently, we are not requesting to receive multicast when
registering NAN action frames. As a result, USD passive subscribe or
solicited only publish may not work.

The NL80211_ATTR_RECEIVE_MULTICAST attribute corresponds to wiphy
ext feature NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS, which
requires driver support and only a few drivers in the kernel tree
support it. Namely ath9k, ath9k_htc, ath10k and hwsim. We should
fall back to register non multicast action frames if the driver
has no support.

It was confirmed that ath9k_htc starts to work after the changes.

Note that even without requesting to receive multicast Action
frames, some drivers would still upload them. For example, rtl8192cu
and hwsim. This is why test cases like test_nan_usd_match would not
fail.

Tested-on: TP-LINK TL-WN821N v3(AR7010+AR9287, ath9k_htc)
Signed-off-by: Chien Wong <m@xv97.com>
2024-07-12 16:40:48 +03:00
Chien Wong
92829d8bee NAN: Reject undefined publish type
The Wi-Fi Aware Specification v4.0 only defines unsolicited
transmissions only, solicited transmissions only and both unsolicited
and solicited transmissions publish. The other possibility is undefined
so we should reject it.

Signed-off-by: Chien Wong <m@xv97.com>
2024-07-12 16:37:01 +03:00
Michael-CY Lee
7c935eef36 nl80211: AP MLD: Reassign drv->ctx correctly to prevent hostapd crash
When the first link is deleted and there are still remaining links,
drv->ctx should be updated to the new default link on the bss.
Otherwise, drv->ctx points to the address that has already been freed
and makes hostapd crash.

Fixes: d2b62b3fe5 ("AP MLD: Support link removal before removing interface")
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2024-07-12 15:20:44 +03:00
Andrei Otcheretianski
5f83f4db0b Add int_array_includes()
This is a convenient helper function for using int_array instances.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-07-12 12:58:05 +03:00
Hari Naraayana Desikan Kannan
627b67f29b ACS: Fix primary channel puncturing in ACS
Currently, when the ACS is updating the puncturing bitmap, the function
acs_update_puncturing_bitmap() sets the primary channel bitmap to 0.
This leads to a potential issue where the primary channel could be
punctured if ACS selects a different best channel within the same
segment.

To fix this issue, ensure that the primary channel bitmap is correctly
set by calculating the index of the primary channel based on the
frequency difference between the current channel and the best channel in
the segment, and is then passed to acs_update_puncturing_bitmap().

Fixes: af0f60e7dd ("EHT: Calculate puncturing bitmap for ACS")
Signed-off-by: Hari Naraayana Desikan Kannan <quic_hnaraaya@quicinc.com>
2024-07-12 12:42:08 +03:00
Hari Naraayana Desikan Kannan
be2ac92918 ACS: Fix ACS behavior for channel selection
The current ACS algorithm incorrectly returns success even when there is
no survey list, leading to improper interference factor calculation.
This leads to treating 0 as a valid interference factor, which affects
channel selection judgment.

Fix the issue by ensuring success is only returned when the survey list
is not empty, thereby ignoring non-zero values in the interference
factor calculation.

Signed-off-by: Hari Naraayana Desikan Kannan <quic_hnaraaya@quicinc.com>
2024-07-12 12:40:00 +03:00
Hari Naraayana Desikan Kannan
83cfeb8903 ACS: Update ACS documentation
Update the documentation to reflect the ACS algorithm used in the code.
No functionality change.

Signed-off-by: Hari Naraayana Desikan Kannan <quic_hnaraaya@quicinc.com>
2024-07-12 12:38:10 +03:00
Hu Wang
cb91ef2566 MLO: Swap Tx/Rx keys for GTK TKIP Michael MIC in MLO GTK KDE
While TKIP should not really be used at all anymore and is not allowed
for WPA3 (which is required for Wi-Fi 7), there are some deployed APs
that allow WPA2 PSK to be used with MLO and even allowing WPA+WPA2 mode
with TKIP as the group cipher). IEEE P802.11be/D5.0 does not seem to
explicitly disallow this combination, so handle the MLO GTK KDE key
processing similarly to the way GTK KDE is processed, i.e., including
swapping of Michael MIC Tx and Rx keys for TKIP.

This fixes issues with Michael MIC failures if TKIP is used as a group
cipher for a multi-link association.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-12 12:36:50 +03:00
Jouni Malinen
c6f394b888 Indicate if SSID has been verified in STATUS output
Add a new "ssid_verified=1" entry into the control interface STATUS
command output if the SSID has been verified for the current
association. This verification may have been done implicitly (e.g., with
SAE H2E and FT protocol binding in the SSID into key derivation or with
FILS protecting the SSID element in the (Re)Association Request frame)
or explicitly with the recently added SSID protection mechanism during
the 4-way handshake.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-11 22:58:12 +03:00
Sai Pratyusha Magam
b745cd33ef PASN: Derive KDK on AP only when both ends support SecureLTF
On the AP responder side, KDK was derived if the driver advertises
WPA_DRIVER_FLAGS2_SEC_LTF_AP. That is not correct, i.e., this needs to
also depend on the initiator indicating support for this in the RSNXE of
PASN authentication frame 1.

Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
2024-07-11 22:14:50 +03:00
Benjamin Berg
58b2759551 trace: Only permit explicit prefix matching for functions
The matching code currently only tests whether the prefix of a function
matches. Make this more strict by ensuring that the function name is not
longer.

However, as this breaks some tests (due to inlining), add the ability to
do an explicit prefix match by appending a '*' to the function name. Use
this to change the eap_eke_prf match to eap_eke_prf_* in order to match
one of the actual implementations.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 19:54:50 +03:00
Benjamin Berg
49344db095 trace: Use strncmp() to match function names
The functions specified by the user might be longer than the function in
the backtrace, potentially overflowing the memcmp(). In practice, it
should not be a relevant out-of-memory read. However, we can use
strncmp() instead.

Note that, as before, this is only a prefix match. If a function name is
longer in the backtrace it will still match.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 19:52:34 +03:00
Benjamin Berg
ac15b79fe5 PMKSA: Guard against NULL KCK for memcpy()
If the kck_len is 0 then the pointer may be NULL. If that happens UBSAN
complains about the NULL pointer as memcpy() has the arguments declared
to never be NULL even if the copied number of bytes were zero.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-07-11 19:48:11 +03:00
Sascha Hauer
3b4f127084 nl80211: Use actual number of supported AKMs for AP setup
Since 0ce1545dcb ("nl80211: Determine maximum number of supported
AKMs") we get the maximum number of supported AKMs from the kernel.
Let's use that instead of the legacy NL80211_MAX_NR_AKM_SUITES when
setting up AP mode operation.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
2024-07-11 18:30:21 +03:00
Sai Pratyusha Magam
8f69e538a9 SecureLTF: Work around misbehaving STAs for PTK derivation without KDK
Some deployed STAs that advertise SecureLTF support in the RSNXE in
(Re)Association Request frames, do not derive KDK during PTK generation.
Since the correct key calculations in the AP includes an additional KDK
generation in such cases, this causes different PTK-KCK being derived
and the AP ultimately discarding EAPOL-Key message 2/4 due to MIC
validation failure.

Try to derive a PTK without KDK as a workaround in such cases and allow
the 4-way handshake to continue if this results in a matching MIC.

Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
2024-07-11 18:23:49 +03:00
Aditya Kumar Singh
61eb89d5fd nl80211: AP MLD: Parse link ID to determine the BSS for color event
When an HE BSS color event is received from the driver, the event was
delevered to the first link BSS ctx. To support HE BSS color with MLO,
there is a need to identify the correct link for which the event is
intended.

Add link ID parsing support in the event handler and pass the link ID
(if included) down to the event handler so that appropriate link can be
selected.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-07-11 17:23:47 +03:00
Aditya Kumar Singh
5d16ad9ab0 nl80211: Refactor color collision related nl80211 commands handling
Almost same logic is there in handling four different commands related
to color collision. Later when link ID needs to be parsed, it would be
more duplicate logic at four different places. Hence refactor and bring
it in a single function.

No functionality changes.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-07-11 17:21:03 +03:00
Aditya Kumar Singh
22a592d119 hostapd: Fix updating Beacon frames during association handling
In function handle_assoc(), ieee802_11_update_beacons() was used to
update the Beacon frames. However, with commit a5d0bb42a2 ("Reduce
delay between Association Request and Association Response"), it was
changed to ieee802_11_set_beacons() which basically overturned what
commit e59d2a31cf ("hostapd: Fix premature beacon set during
association handling") did which is not correct.

Fix this and use ieee802_11_update_beacons() instead of
ieee802_11_set_beacons().

Fixes: a5d0bb42a2 ("Reduce delay between Association Request and Association Response")
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2024-07-11 17:13:45 +03:00
Jouni Malinen
9716bf1160 SAE: Reject invalid Rejected Groups element in the parser
There is no need to depend on all uses (i.e., both hostapd and
wpa_supplicant) to verify that the length of the Rejected Groups field
in the Rejected Groups element is valid (i.e., a multiple of two octets)
since the common parser can reject the message when detecting this.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 23:37:45 +03:00
Aleti Nageshwar Reddy
5f98c853e4 nl80211: Send link ID with NL80211_CMD_TDLS_MGMT to enable TDLS with MLO
The latest Linux kernel is mandating link ID with NL80211_CMD_TDLS_MGMT
for MLO connections. This resulted in not being able to perform TDLS
operations during a multi-link association.

Fix this by sending link ID in NL80211_CMD_TDLS_MGMT when available. If
link ID info is not available, send the link ID of the association link.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-09 23:20:50 +03:00
Jouni Malinen
f302d9f964 RADIUS: Check Message-Authenticator if it is present even if not required
Always check the Message-Authenticator attribute in a received RADIUS
message if it is present. Previously, this would have been skipped if
the attribute was not required to be present.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
58097123ec RADIUS: Require Message-Authenticator attribute in MAC ACL cases
hostapd required Message-Authenticator attribute to be included in EAP
authentication cases, but that requirement was not in place for MAC ACL
cases. Start requiring Message-Authenticator attribute for MAC ACL by
default. Unlike the EAP case, this can still be disabled with
radius_require_message_authenticator=1 to maintain compatibility with
some RADIUS servers when used in a network where the connection to such
a server is secure.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
934b0c3a45 Require Message-Authenticator in Access-Reject even without EAP-Message
Do not allow the exception for missing Message-Authenticator in
Access-Reject without EAP-Message. While such exception is allowed in
RADIUS definition, there is no strong reason to maintain this since
Access-Reject is supposed to include EAP-Message and even if it doesn't,
discarding Access-Reject will result in the connection not completing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
f54157077f RADIUS DAS: Move Message-Authenticator attribute to be the first one
Even if this might not be strictly speaking necessary for mitigating
certain RADIUS protocol attacks, be consistent with the RADIUS server
behavior and move the Message-Authenticator attribute to be the first
attribute in the RADIUS DAS responses from hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
37fe8e48ab hostapd: Move Message-Authenticator attribute to be the first one in req
Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client in hostapd.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
54abb0d3cf RADIUS server: Place Message-Authenticator attribute as the first one
Move the Message-Authenticator attribute to be the first attribute in
the RADIUS messages. This mitigates certain MD5 attacks against
RADIUS/UDP.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
adac846bd0 RADIUS: Allow Message-Authenticator attribute as the first attribute
If a Message-Authenticator attribute was already added to a RADIUS
message, use that attribute instead of adding a new one when finishing
message building. This allows the Message-Authenticator attribute to be
placed as the first attribute in the message.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-09 14:58:39 +03:00
Jouni Malinen
21fe042815 SAE: Clear peer_rejected_groups when no element is included
When parsing a SAE Commit message, the temporary peer_rejected_groups
parameter was left to its old value in cases where the new SAE Commit
message did not include the Rejected Groups element. This could result
in unexpected behavior if a previously processed SAE Commit message
included a Rejected Groups element that claimed one of the enabled
groups to be rejected.

Explicitly clear the peer_rejected_groups value when parsing an SAE
Commit message without a Rejected Groups element to avoid rejecting the
new message based on some previously received incorrect information.
This avoids some potential denial-of-service issues during the lifetime
of the SAE temporary data.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-07 11:48:35 +03:00
Jouni Malinen
364c2da874 SAE: Check for invalid Rejected Groups element length explicitly
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-07 11:46:49 +03:00
Gururaj Pandurangi
c9db4925f6 Vendor attribute to configure STA to follow AP preference for candidates
Add a vendor attribute to configure a STA to follow AP advertised
preference values to select roam candidates with BTM.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-06-20 18:59:00 +03:00
Purushottam Kushwaha
0cb42655fb Vendor command extension for Responder PM Mode bit in TWT SET Request
Use the existing QCA_WLAN_VENDOR_ATTR_TWT_SETUP_RESPONDER_PM_MODE
attribute for TWT setup request to configure the Responder PM Mode bit
in the control field of the TWT element or broadcast TWT schedule.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2024-06-20 18:54:51 +03:00
Purushottam Kushwaha
9832f13242 Add vendor flag to indicate unavailability mode in TWT responder mode
Add a flag attribute
QCA_WLAN_VENDOR_ATTR_TWT_SET_PARAM_UNAVAILABILITY_MODE into enum
qca_wlan_vendor_attr_twt_set_param to configure the TWT responder
unavailability outside of the SPs of its broadcast TWT schedule.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2024-06-20 18:52:53 +03:00
Chenming Huang
761041b18a SAE: Free password identifier if SAE commit is rejected due to it
Authentication rejection was found when doing fuzz testing even with a
valid SAE commit message when it was sent after a SAE commit message
that included an incorrect password identifier. The test steps for this
are as below:

1. Peer sends an abnormal commit message with incorrect password
   identifier
2. APUT rejects as expected
3. Peer sends a valid commit message
4. APUT rejects again, which is not expected

In step 2, as the abnormal data fakes an empty password identifier
element, it passes sae_is_password_id_elem() checking. Memory is then
allocated for sae->tmp->pw_id. The authentication process then fails
due to no available password with this invalid password identifier.

In step 4, though the peer sends a valid commit message, APUT rejects
this SAE commit again due to no password identifier element (due to that
sae->tmp->pw_id being set), which is not expected.

Free the sae->tmp->pw_id field and set it to NULL when SAE commit
message processing fails due to an unknown password identifier so that
the bogus value is not used as a requirement for any consecutive SAE
commit from the same STA before the STA entry gets cleared.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-06-20 18:19:26 +03:00
Nidhi Jain
d97b5c6492 Define Link Id attribute for secure ranging context vendor command
The Link Id attribute is required for secure ranging context to identify
the link on which the command is received for an MLD.

Signed-off-by: Nidhi Jain <quic_nidhjain@quicinc.com>
2024-06-19 22:33:52 +03:00
Nidhi Jain
2097de2a6a Define Link Id attribute for QCA_NL80211_VENDOR_SUBCMD_PASN
The Link Id attribute is required for QCA_NL80211_VENDOR_SUBCMD_PASN to
identify the link on which the command is received for an MLD.

Signed-off-by: Nidhi Jain <quic_nidhjain@quicinc.com>
2024-06-19 22:31:59 +03:00
Diya Sati
c6e55fb96b Add Link ID for External ACS vendor command
The Link Id attribute is required for external ACS context to identify
the link on which the command is received for an AP MLD.

Signed-off-by: Diya Sati <quic_dsati@quicinc.com>
2024-06-19 22:28:50 +03:00
Jouni Malinen
37a289f8bc SSID protection in 4-way handshake on AP
Add support for SSID protection in 4-way handshake based on the
mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against
CVE-2023-52424 (a.k.a. the SSID Confusion Attack).

This functionality is disabled by default and can be enabled with
ssid_protection=1. Once there has been more testing of this to confirm
there is no significant interoperability issues, the goal is to be able
to change this to be enabled by default.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-06-19 12:38:14 +03:00