Commit graph

19365 commits

Author SHA1 Message Date
Jouni Malinen
010d8d10ed EHT: Use eht_oper_puncturing_override when constructing VHT elements
The testing functionality for overriding EHT puncturing bitmap was
applied only for the EHT elements. The mac80211 has been updated to
enforce compartibility between EHT and HT/VHT information and that made
the related test cases fail. Apply the override value for VHT element
generation to avoid some of those issues.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-06 22:34:57 +02:00
Jouni Malinen
0eb67e43bb tests: Do not drop HT capability on CS to avoid test failures
Leave the HT capability of the AP as-is when running channel switch test
cases that started failing with a recent kernel change that disconnects
on such "unexpected" change in AP capabilities.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-06 19:32:16 +02:00
Jouni Malinen
0a321d1733 tests: Fix fuzzing tester for WNM
Processing of WNM frames can results in a lookup of the current BSS
table. As such, the testing tool needs to initialize the BSS table to
avoid NULL pointer dereferences. This is not an issue that would show up
with real production uses with wpa_supplicant since wpa_bss_init() is
called there.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=67244
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-06 17:38:08 +02:00
Jouni Malinen
40d5fecac2 Fix fuzzing test build
The commit that renamed the WNM BTM deallocation function forgot to
update the fuzz tester tool.

Fixes: e508c070c4 ("WNM: Keep BTM information until connection completes")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-05 17:24:50 +02:00
Jouni Malinen
27dac87b7c tests: Update Supported Operating Classes element validation
The wpa_supplicant implementation for building the Supported Operating
Classes element was modified to add support for 80 MHz and wider
bandwidth on the 6 GHz band, 2-octet operating classes, and freq_list on
the 6 GHz band. Update the test cases that verify exact encoding of this
information to match the implementation changes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-05 17:24:50 +02:00
Jouni Malinen
c00abc69f2 Handle 6 GHz channels in Supported Operating Classes with freq_list
Only the 2.4 and 5 GHz channels were handled previously when removing
operating classes from the Supported Operating Classes element based on
the freq_list parameter. Extend this to include the 6 GHz band as well.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-05 17:01:30 +02:00
Jouni Malinen
9e90486bce 2-octet operating classes in Support Operating Classes element
A previous workaround was used to move the special operating class 130
to the end of the Supported Operating Classes element to avoid getting
any following entry being ignored or misunderstood. That is not really
the correct way of encoding the special cases, i.e., 80+80 MHz channels
that use two nonadjacent frequency segments.

Add support for encoding the 80+80 MHz channel with the 2-octet
operating class design using the Operating Class Duple sequence field of
the Supported Operating Classes element instead of listing the operating
classes that have the 80+ behavior limit set indication in Table E-4
(i.e., opclass 130 and 135) as 1-octet operating classes in the
Operating Classes field.

Fixes: a92660a00e ("Work around Supported Operating Classes element issues for 6 GHz")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-05 16:24:35 +02:00
Jouni Malinen
460df51ed8 tests: Verify supported operating classes indication for 6 GHz
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-03-04 19:20:03 +02:00
Ainy Kumari
5dabc10185 Extend support for the 6 GHz operating class 137 (320 MHz)
Commit 085a3fc76e ("EHT: Add 320 channel width support") added this in
various places, but it did not cover everything. Extend this support to
be more complete. In particular, this allows wpa_supplicant to report
the operating class 137 in the Supported Operating Classes element and
to use it when processing beacon requests.

Signed-off-by: Ainy Kumari <quic_ainykuma@quicinc.com>
2024-03-04 19:20:03 +02:00
Ainy Kumari
e74d95e0aa nl80211: Process 6 GHz regulatory rules to accurate channel flags
This is needed to be able to indicate all supported operating classes.

Signed-off-by: Ainy Kumari <quic_ainykuma@quicinc.com>
2024-03-04 19:20:03 +02:00
Jouni Malinen
59951ebf09 Use a helper function to free neighbor DB entries
There is no need to duplicate this code in multiple locations.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-03 21:33:46 +02:00
Jouni Malinen
96f0af07e6 Clear all neighbor entry items explicitly
Do not leave some of the variables to their previously used values when
a neighbor entry is cleared.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-03 21:33:46 +02:00
Nikita Chernikov
6f285fbafc Update own report in nr_db if SSID is changed
short_ssid in the own neighbor report might get out of sync, causing
advertising RNR element based on the old SSID, when SSID is changed
either with control interface command SET or with SIGHUP. Therefore,
sync the own report entry by removing the old entry and setting own
report again if the short SSID value has changed.

Signed-off-by: Nikita Chernikov <nchernikov@maxlinear.com>
2024-03-03 21:33:46 +02:00
Michael-CY Lee
b653420a23 AP MLD: Set link address only when non-AP MLD is not added to driver
Once the non-AP MLD is added to the driver, the driver handles the
address translation so that hostapd receives Management frames with
SA/DA being translated into MLD MAC addresses.

If the Authentication frmae is retransmitted with transaction being 1,
SA of the retransmitted Authentication frame is translated into the MLD
MAC address by the driver, and then in the function handle_auth(),
sta->mld_info.links[].peer_addr would be replaced by the MLD MAC address
even though it is supposed to be the link address.

Therefore, update the MLD information only when the STA has not yet been
added into the driver to avoid replacing the previously determined link
address with the MLD MAC address.

Fixes: bcbe80a66 ("AP: MLO: Handle Multi-Link element during authentication")
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2024-03-03 21:33:46 +02:00
Mujibur Rahiman K
16abdac809 Fix INTERFACES command buffer size to allow more data
reply_size instead sizeof(buffer) should be provided to
hostapd_global_ctrl_iface_interfaces() when processing INTERFACES
commands. The previous use of sizeof(buffer) used a significantly
shorter limit (256 vs. 4096 bytes) for the output and this could have
resulted in unnecessary truncation of the output.

Fixes: 618f5d01b0 ("hostapd: Add INTERFACES ctrl_iface command")
Signed-Off-By : Mujibur Rahiman K mujiburrahimank@maxlinear.com
2024-03-03 20:10:13 +02:00
Janusz Dziedzic
b483ceafc4 hostapd: Dump VHT/HE/EHT full capabilities in STA command output
Show full VHT/HE/EHT capabilities for connected stations.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2024-03-03 20:07:41 +02:00
Jouni Malinen
040ba112aa Use os_snprintf_error() more consistently in STA output generation
In theory, os_snprintf() could return a negative value and as such,
os_snprintf_error() should be used in all cases where the buffer might
not be large enough.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-03 20:01:27 +02:00
Jouni Malinen
31bbc9391e Do not change out-of-range configuration parameters
The INT_RANGE() cases for wpa_supplicant global and network profile
parameters ended up changing the configured value to the minimum value
if the provided value was too small or to the maximum value if the
provided value was too large. This does not seem most logical. Change
this to not change the configured value at all if the provided value is
outside the valid range.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-03 19:55:45 +02:00
Jouni Malinen
16f7072888 tests: More debug info for eht_mld_sae_legacy_client
It looks like this test case can fail in some cases. Add more debug info
and event wait that might help with a race condition.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-03 19:25:27 +02:00
Jouni Malinen
6889380177 tests: Use even larger timeout of concurrent P2P operations
It looks like the 30 second timeout, i.e., 25 second to discover and
receive GO Negotiation Request, was not sufficient for all cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-03 19:09:10 +02:00
Jouni Malinen
0e399ced32 tests: wpa_supplicant configuration parser range checking
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-03 18:47:16 +02:00
Jouni Malinen
fd24ed9490 Fix valid range for disable_ht40
This network parameter uses values 0 and 1, so -1 should not have been
accepted.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-03 18:37:21 +02:00
Jouni Malinen
b1a880f38f Enforce valid range check for SET mbo_cell_capa and oce
These parameters have both a separate SET command handler and a global
configuration parameter handler. Only the global configuration parameter
handler for enforcing valid range checking. Do that for the SET command
as well.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-03 18:21:07 +02:00
Chien Wong
e5b7e5b900 wpa_supplicant: Fix ignoring boundary 0 in config parser
The following config file contains invalid items:
----
filter_rssi=1234 # should be rejected

network={
 mode=-1 # should be rejected
 ssid="ssid"
 psk="password"
}
----
But it is accepted by the config parser. The issue is due to using NULL
to represent no limit. If a boundary is set to 0, it's disregarded.
Fix this.
Note that string parser is not affected as length cannot be negative and
we are not limiting any string to be always empty.

Signed-off-by: Chien Wong <m@xv97.com>
2024-03-03 18:21:01 +02:00
Jouni Malinen
10122e951d P2P: Fix pri/sec channel switch skipping for GO
Use of wpa_s->p2p_go_no_pri_sec_switch needs to be conditional on
CONFIG_P2P being defined for the build to avoid a compilation error and
ssid->p2p_group to avoid using this for non-P2P AP mode case in
wpa_supplicant. Furthermore, it is better to clear this flag when
stopping a P2P GO to reduce risk of this getting used for a separate
instance of starting a GO.

Fixes: b18d957593 ("P2P: Disable pri/sec channel switch for GO with forced frequency")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-02 21:04:30 +02:00
Benjamin Berg
e508c070c4 WNM: Keep BTM information until connection completes
In the MLD case, the information from the transition management request
is relevant during the association process in order to filter out links
that were disallowed by the BTM request. Also, the information remains
useful should a connection attempt fail.

To enable these scenarios, keep the information around until the
connection has completed. As this might make it impossible to establish
a connection, also clear this information at the same time that a normal
BSS ignore is cleared to avoid getting stuck in case the transition
fails unexpectedly.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:50 +02:00
Benjamin Berg
17a2aa822c WNM: Follow BTM procedure if the last link is dropped
If the last link is dropped, it makes sense to follow the BTM procedure.
However, in that case we need to prevent reconnection to this link
specifically, while if the AP MLD is terminating we need to forbid
connecting to the AP MLD.

As such, add a new variable to track the BSSID or AP MLD MAC address.
Which one it refers to depends on whether wnm_link_removal is set.

This also simplifies the check in wnm_is_bss_excluded() and untangles it
from wpa_s->current_bss.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
770f3cb30b WNM: Remove dialog_token parameter
All callers of wnm_send_bss_transition_mgmt_resp() are explicitly
passing wpa_s->wnm_dialog_token. As such, we might as well not pass it
and use the variable directly.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
c7cafef8a1 WNM: Set wnm_reply to 0 when sending it
There is no point in the caller to set it to zero. Just do so within
wnm_send_bss_transition_mgmt_resp().

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
261f7f9e51 WNM: Do not store coloc_intf_elems
The elements are (currently) not used except for sending an immediate
response similar to COLOC_INTF_REPORT with the main difference being
that the dialog token is included.

Do not store the elements. It easy enough to re-add this should the
implementation improve. And this fixes the fact that the variable is
cleared at odd times as wnm_deallocate_memory() is used specifically to
clear the neighbor report list of a BTM request.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
033adbf833 WNM: Drop explicit wpa_is_bss_tmp_disallowed() check
There is no need for this check as wpa_scan_res_match() already calls
the function through wpa_scan_res_ok() before accepting a match.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
8b51310f4e WNM: Drop explicit SSID check
The call to wpa_scan_res_match already checks that the SSID matches
current_ssid. Therefore there is no need to do any further checking.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
939cd294b2 WNM: Drop check for current_ssid
It should never be NULL. In the unlikely event that it is NULL, the
logic changes slightly to reject all candidates.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
436f07d02b WNM: Define a stub wnm_is_bss_excluded if WNM is disabled
This removes the need to check for CONFIG_WNM.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Avraham Stern
e164943f43 WNM: Wait for BTM response TX status before roaming
When accepting a BSS transition request there is a race between
sending the response and roaming to the target AP. As a result,
the response may not be sent because the station deauthenticated
from the AP before the response was actually sent.

To make sure the BSS transition response is sent, start roaming only
after the TX status is received for the BSS transition response.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
40ef706e55 WNM: Don't scan frequencies of neighbors that should be ignored
It does not make sense to scan for neighbors that we are not supposed to
use anyway. As such, skip them.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:17 +02:00
Benjamin Berg
20ed289a78 WNM: Clean up old scan data processing
When receiving a BTM request, wpa_supplicant would try to fetch new
results from the driver, and, independently of that, would also process
the latest scan results that were partially updated by the previous
fetch.

Simplify the logic by using wpa_supplicant_get_scan_results() directly
and then process the old scan data as usual. However, this data may be
outdated, so add a new heuristic to avoid roaming to a BSS if it is
either outdated or bad.

Doing this moves all scan data processing into wnm_scan_process() and
removes duplicated functionality for scan result processing in scan.c.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 20:52:14 +02:00
Jouni Malinen
4750a4f62a DPP: Wait for TX wait expiration on moving to neg_freq for Auth Resp
Avoid potential race conditions with the driver operations between
stopping an ongoing wait for responses for an offchannel TX that was
used to send Authentication Request with a request to use a different
channel for Authentication Response and the start of a new ROC on the
other channel by waiting for the TX expiration event before issuing the
ROC request.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-02 19:39:49 +02:00
Jouni Malinen
963dbad7dc nl80211: Indicate EVENT_TX_WAIT_EXPIRE on match-saved
The event indicating expiration of an offchannel TX is useful for cases
where the wait is for a frame that was explicitly requested to have the
pending cookie to be saved.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-02 19:39:49 +02:00
Jouni Malinen
451d299528 DPP: Wait for ROC cancelled event on Auth Resp TX on another channel
Avoid potential race conditions with the driver operations between
cancelling an ongoing ROC that was used to receive Authentication
Request that requested a different channel to be used for the
negotiation by waiting for the ROC cancelled event before issuing the
offchannel TX command for the Authentication Response.

In addition, speed up the retry on Authentication Response in this type
of a case if the first attempt on the other channel is not AKC'ed since
it might take the peer device a bit more time to be ready to listen
there.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-02 19:39:49 +02:00
Benjamin Berg
45fffac0fe BSS: Switch struct wpa_bss to use valid_links bitmask
This aligns both the wpa_supplicant and bss structures to use the same
pattern of a valid_links bitmask plus per-link entries.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 12:24:15 +02:00
Benjamin Berg
e90f6678f1 nl80211: Remnove unused struct i802_link ctx
This was never used.

Fixes: 47269be36e ("nl80211: Refactor i802_bss to support multiple links")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 12:01:33 +02:00
Benjamin Berg
0d4288a005 nl80211: Use valid_links bitmask for bss->links array
Most places in the codebase use a valid_links bitmask with an array.
Switch the bss->links array to use the same design with the Link ID
being used as the array index instead of having a link_id inside.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 11:59:16 +02:00
Jouni Malinen
9ed51186e8 Use a single define MAX_NUM_MLD_LINKS for the maximum number of links
There is no need to maintain a separate MAX_NUM_MLO_LINKS define for
practically the same thing.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-02 11:25:20 +02:00
Benjamin Berg
11f26fed64 Use for_each_link() where possible
This takes care of the places that the spatch did not catch already.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 11:12:13 +02:00
Benjamin Berg
dbdf7ef679 Use for_each_link() in most cases
This was done using the below semantic patch. There are a few more
places that were missed due to variable declarations or additional
checks in the for loop.

@@
iterator name for_each_link;
identifier max_links =~ "MAX_NUM_MLD_LINKS|MAX_NUM_MLO_LINKS";
expression links;
expression further_tests;
identifier i;
statement stmt;
@@
-for (i = 0; i < max_links; i++)
+for_each_link(links, i)
 {
(
-  if (!(links & BIT(i)))
-    continue;
   ...
|
-  if (!(links & BIT(i)) || further_tests)
+  if (further_tests)
     continue;
   ...
|
-  if (further_tests || !(links & BIT(i)))
+  if (further_tests)
     continue;
   ...
|
-  if (links & BIT(i))
     stmt
|
-  if (further_tests && (links & BIT(i)))
+  if (further_tests)
     stmt
|
-  if ((links & BIT(i)) && further_tests)
+  if (further_tests)
     stmt
)
 }

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 11:11:12 +02:00
Benjamin Berg
c9f8fe0664 common: Introduce for_each_link() macro
This is a simple macro iterating the given bitmask using the given
variable. Having the macro avoids the for loop-continuation making it
more readable overall.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 11:02:54 +02:00
Benjamin Berg
6cb421c1fa nl80211: Fix link indexing in nl80211_connect_common()
In some places the wrong index variable was used to access the link
configuration. Fix this by simply using link_id instead of i.

With this, the i loop variable is not needed anymore. We can simply
always pass 0 to nla_nest_start(). Also, the kernel does not care about
the order that the links are provides, so just remove the special
handling for the association link.

Fixes: a2c4c0b1b6 ("nl80211: Support MLD association request")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 10:59:02 +02:00
Ilan Peer
408a399aa4 nl80211: Explicitly differentiate between 5 GHz and 6 GHz modes
When a device supports both the 5 GHz band and the 6 GHz band,
these are reported as two separate modes, both with mode set to
HOSTAPD_MODE_IEEE80211A. However, as these are different modes,
each with its own characteristics, e.g., rates, capabilities etc.,
specifically differentiate between them by adding a flag to indicate
whether the mode describes a 6 GHz band capabilities or not.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 10:53:19 +02:00
Benjamin Berg
b532201034 tests: Add missing scan cache flush
Otherwise a BSS from a previous test may still be in the cache.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 10:46:55 +02:00