Commit graph

2819 commits

Author SHA1 Message Date
Michael-CY Lee
b653420a23 AP MLD: Set link address only when non-AP MLD is not added to driver
Once the non-AP MLD is added to the driver, the driver handles the
address translation so that hostapd receives Management frames with
SA/DA being translated into MLD MAC addresses.

If the Authentication frmae is retransmitted with transaction being 1,
SA of the retransmitted Authentication frame is translated into the MLD
MAC address by the driver, and then in the function handle_auth(),
sta->mld_info.links[].peer_addr would be replaced by the MLD MAC address
even though it is supposed to be the link address.

Therefore, update the MLD information only when the STA has not yet been
added into the driver to avoid replacing the previously determined link
address with the MLD MAC address.

Fixes: bcbe80a66 ("AP: MLO: Handle Multi-Link element during authentication")
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2024-03-03 21:33:46 +02:00
Janusz Dziedzic
b483ceafc4 hostapd: Dump VHT/HE/EHT full capabilities in STA command output
Show full VHT/HE/EHT capabilities for connected stations.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
2024-03-03 20:07:41 +02:00
Jouni Malinen
040ba112aa Use os_snprintf_error() more consistently in STA output generation
In theory, os_snprintf() could return a negative value and as such,
os_snprintf_error() should be used in all cases where the buffer might
not be large enough.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-03-03 20:01:27 +02:00
Benjamin Berg
dbdf7ef679 Use for_each_link() in most cases
This was done using the below semantic patch. There are a few more
places that were missed due to variable declarations or additional
checks in the for loop.

@@
iterator name for_each_link;
identifier max_links =~ "MAX_NUM_MLD_LINKS|MAX_NUM_MLO_LINKS";
expression links;
expression further_tests;
identifier i;
statement stmt;
@@
-for (i = 0; i < max_links; i++)
+for_each_link(links, i)
 {
(
-  if (!(links & BIT(i)))
-    continue;
   ...
|
-  if (!(links & BIT(i)) || further_tests)
+  if (further_tests)
     continue;
   ...
|
-  if (further_tests || !(links & BIT(i)))
+  if (further_tests)
     continue;
   ...
|
-  if (links & BIT(i))
     stmt
|
-  if (further_tests && (links & BIT(i)))
+  if (further_tests)
     stmt
|
-  if ((links & BIT(i)) && further_tests)
+  if (further_tests)
     stmt
)
 }

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 11:11:12 +02:00
Ilan Peer
408a399aa4 nl80211: Explicitly differentiate between 5 GHz and 6 GHz modes
When a device supports both the 5 GHz band and the 6 GHz band,
these are reported as two separate modes, both with mode set to
HOSTAPD_MODE_IEEE80211A. However, as these are different modes,
each with its own characteristics, e.g., rates, capabilities etc.,
specifically differentiate between them by adding a flag to indicate
whether the mode describes a 6 GHz band capabilities or not.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-03-02 10:53:19 +02:00
Sunil Ravi
dbcf9ff156 P2P: Notify the IP address of the connected P2P Client
When wpa_supplicant assigns the IP address (WFA EAPOL IP address
allocation feature), the assigned IP address of the P2P Client on the GO
side is notified in the AP-STA-CONNECTED event. So to obtain the IP info
to external programs, modify the STA authorized event to include the the
assigned IP address of the P2P Client.

Test: Establish P2P connection and verified from the logs that
      the P2P Client IP address is notified.
Signed-off-by: Sunil Ravi <sunilravi@google.com>
2024-03-01 20:36:41 +02:00
Chenming Huang
8cdb0d3f24 AP MLD: Stop AP per link
For AP MLD cases, the link id is required to determine the correct link
to stop in the stop_ap() driver op.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-02-28 22:32:09 +02:00
Jouni Malinen
d084ef36b3 AP MLD: Clean up disassoc handling for non-AP MLD link validity check
The check for the non-AP MLD link being valid can be done one level
outside the loop that tries to find a matching AP link.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-02-28 22:17:57 +02:00
Chenming Huang
7ceafb6e9f AP MLD: Handle disassociation notification with SME offload to driver
For non-AP MLDs, clear STA entry from all affiliated links.

For legacy non-MLO case, find association link to clear the STA entry.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-02-28 22:17:52 +02:00
Jouni Malinen
95a825bc43 RADIUS: Preliminary support RADIUS/TLS as an alternative to RADIUS/UDP
This adds initial parts for RADIUS/TLS support in the RADIUS client.
This can be used with eapol_test and hostapd. This functionality is not
included by default and CONFIG_RADIUS_TLS=y in .config can be used to
enable it.

This version does not yet include all the needed functionality for TLS
validation and the rules for dropping a TCP connection based on invalid
RADIUS attributes.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-02-25 20:54:14 +02:00
Haribabu Krishnasamy
352ad5f1a2 Apply CHAN_SWITCH in all BSS for MBSSID case
When the CHAN_SWITCH command is executed during multi BSSID case (say
BSS1, BSS2, and BSS3), if one of the BSS is disabled (say BSS2), the
CHAN_SWITCH command returns an error in BSS2 and does not proceed to the
next BSS (BSS3).

The CHAN_SWITCH command handler iterates over all configured BSSs and
attempts to send the switch_channel to each one. However, if any one of
the BSSs fails, the entire command is aborted and returns a failure.

Continue the iteration even if one BSS is failing to make sure the
configuration is applied to other BSSs.

Signed-off-by: Haribabu Krishnasamy <quic_hkr@quicinc.com>
2024-02-18 11:09:40 +02:00
Jouni Malinen
3a5d1a7e6d NAN: USD in hostapd
Add hostapd support for interacting with the NAN discovery engine to
allow single-channel (i.e., the AP's operating channel) USD as Publisher
or Subscriber.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-02-15 19:54:17 +02:00
Jouni Malinen
0b5d370c00 DPP: Fix DPP Action frame check for EVENT_RX_MGMT events
This was missing a check for the Category field and could have matched
other Action frames than Public Action frames.

Fixes: 9c2b8204e6 ("DPP: Integration for hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-02-14 01:01:07 +02:00
Jouni Malinen
8fa52a7974 FT: Allow wpa_supplicant to be configured to prepend PMKR1Name
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.

wpa_supplicant has replaced the PMKID List contents from (Re)Association
Request frame with PMKR1Name when generating EAPOL-Key msg 2/4 for FT.
Allow it to be configured (ft_prepend_pmkid=1) to prepend the PMKR1Name
without removing the PMKIDs from (Re)Association Request frame.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-02-03 20:58:01 +02:00
Jouni Malinen
9929426b92 FT: Allow PMKIDs from AssocReq to be in EAPOL-Key msg 2/4
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.

hostapd used to require that only the PMKR1Name is included in the PMKID
List of RSNE in EAPOL-Key msg 2/4. Extend this to allow the PMKIDs that
were included in the (Re)Association Request frame to be present as long
as the correct PMKR1Name is also present. This would allow PMKSA caching
to be used in initial mobility domain association with supplicant
implementations that insert the PMKR1Name without removing the PMKIDs
used in the (Re)Association Request frame. wpa_supplicant did not use to
that, but other implementations might.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-02-03 20:43:24 +02:00
Chenming Huang
5603899976 AP MLD: Handle EAPOL only on the association link
For some implementation, there is no link id in EAPOL event, e.g., use
drv_event_eapol_rx for receiving. Current design for such case is switch
to a link that stores the peer. However, this is error-prone because for
non-AP MLD case, sta_info is stored in all valid links but EAPOL sm is
only initialized in the association link. If EAPOL RX event is handled
in a non-association link, it will be discarded and this leads to EAPOL
timeout.

So find the association link to handle received EAPOL frame in such
case. This replaces the previously used workaround for RSN/wpa_sm for
the no link id specified case.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-02-02 23:01:57 +02:00
Chenming Huang
7ba039ba11 AP MLD: Do not allow disabling first interface affiliated with an AP MLD
Disabling the first interface calls hapd_deinit(), which causes some
issues, e.g., failure when trying to disable other interfaces due to
NULL drv_priv.

So check that all other interfaces are already disabled before disable
the first interface.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-02-02 22:54:44 +02:00
Chenming Huang
03e89de47b AP MLD: Process link info when handling new STA event with driver SME
When association is handled in hostapd, a non-AP MLD's info is stored in
all valid links. This should be the same when SME is offloaded to the
driver.

Also skip some operations that are already done by the driver
when SME is offloaded.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-02-02 20:06:49 +02:00
Jouni Malinen
d3d59967af Handle both HT40+ and HT40- allowed consistently in channel check
Return the result from the first hostapd_is_usable_chan() call instead
of the following attempts in case of ht40_plus_minus_allowed to have
consistent behavior with the case where only one option is specified.
This allows the fallback to 20 MHz to work in additional cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-02-02 17:50:40 +02:00
Chenming Huang
e650fa4d79 ACS: Handle ACS channel selected event in specified link
When ACS offloaded to the driver, the channel selected event carries
link id to specify the link if operating as AP MLD.

Find the specified link to handle this event.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-02-02 10:48:10 +02:00
Chenming Huang
0e91a86ec5 ACS: Add link id if operating as an AP MLD
ACS is triggered per link, so link id is needed for the driver to handle
when the ACS operation is offloaded.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-02-02 10:44:46 +02:00
Harish Rachakonda
f972420e82 AP MLD: Fix AID allocation for legacy STA
Currently, AID is not allocated properly in hostapd for legacy non-MLD
STA in case of an AP MLD. All such stations have same AID.

Fix this issue by allocating AID properly in hostapd when operating as
an AP MLD and the STA is not an MLD.

Fixes: d924be3bd0 ("AP: AID allocation for MLD")
Signed-off-by: Harish Rachakonda <quic_rachakon@quicinc.com>
2024-01-30 11:50:21 +02:00
Jouni Malinen
14c5f401f0 Remove forgotted STAKey related functionality in EAPOL-Key Request
The use of a MAC KDE in the Key Data field of an EAPOL-Key Request frame
was only for the STAKey handshake. That handshake was implemented in
2005 as an experimental functionality and it was then removed in 2006.
However, this part of the functionality was forgotten. This does not do
anything in practice, so simplify the implementation and remove it.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-28 19:15:08 +02:00
Jouni Malinen
b27086e6eb Discard EAPOL-Key request without Secure=1
EAPOL-Key request is accepted only if the MIC has been verified, so PTK
must have already been derived and Secure=1 needs to be used. Check the
Secure bit explicitly for completeness even though the MIC verification
is already taking care of validating that the sender is in the
possession of valid keys.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-28 18:41:06 +02:00
Jouni Malinen
0967940885 Discard EAPOL-Key Request frames during 4-way handshake
While the Authenticator state machine conditions are already checking
for sm->EAPOLKeyRequest, it seems clearer to explicitly discard any
EAPOL-Key Request frame that is received unexpectedly during a 4-way
handshake.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-28 18:32:03 +02:00
Jouni Malinen
8037c1ad61 Move Key Replay Counter checks for EAPOL-Key frames to helper functions
This simplifies wpa_receive().

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-28 11:38:45 +02:00
Jouni Malinen
2c6147404e Check Key Descriptor Version value earlier in the process
There is no need to try to process the EAPOL-Key frame if it has an
unexpected Key Descriptor Version value. Move these checks to happen
earlier in the sequence. In adition, use a separate helper function for
this to simplify wpa_receive() a bit.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-28 11:26:16 +02:00
Jouni Malinen
bd1e078996 Reject undefined Key Descriptor Version values explicitly
Check that the EAPOL-Key frame Key Descriptor Version value is one of
the defined values explicitly instead of failing to process the Key Data
field later (or end up ignoring the unexpected value if no processing of
Key Data is needed).

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-28 11:22:47 +02:00
Jouni Malinen
fff69bba10 Use more generic checks for Key Descriptor Version 2 and 3
IEEE Std 802.11-2020 describes the rule based on not-TKIP for value 2
and no pairwise cipher condition on value 3, so use that set of more
generic rules here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-28 11:18:40 +02:00
Jouni Malinen
74a25a6602 Remove always true check on EAPOL-Key message in authenticator
This was practically dead code since no other msg value exist anymore.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-28 11:07:55 +02:00
Jouni Malinen
f20ca22dce DFS: Print the random channel list entry selection in debug print
This makes it a bit easier to understand what happens with random
channel selection after radar detection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-26 11:59:48 +02:00
Jouni Malinen
d88fe8fe5d DFS: Fix a typo in a debug message
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-26 11:42:54 +02:00
Jouni Malinen
348c047afd ACS: More consistent checking of the best channel pointer
It looks like best might be NULL in some cases, so check for this
explicitly before trying to dereference it for a debug print.

Fixes: 733de85680 ("ACS: Fix not selecting the best channel in the segment")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:58:06 +02:00
Jouni Malinen
5d54bf6fb6 Fix error path on Key Data field decryption
key_data_buf is already freed on the common exit path, so do not try to
free it here on error.

Fixes: 4abc37e67b ("Support Key Data field decryption for EAPOL-Key msg 2/4 and 4/4")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:54:34 +02:00
Jouni Malinen
a4d599a53d FT: Fix architecture for RxKH loading from a file
src/ap/ap_config.c is not really supposed to call directly into a
function in hostapd/config_file.c. Furthermore, the wrapper through
ap_config.c did not really have any real value since it just called a
function that is within hostapd/*.c and that wrapper was called from
hostapd/*.c.

Instead of the wrapper, just call the function directly within the
hostapd directory.

Fixes: 392114a179 ("FT: Add dynamic reload of RxKH definitions from file")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:30:10 +02:00
Jouni Malinen
456bfec470 Avoid uninitialized seq number in debug print for testing functionality
If the driver fetch for the current sequency number fails, do not try to
print the value in a debug print without having cleared it.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 21:16:47 +02:00
Jouni Malinen
1c90c8d24e DPP: Avoid a potential use-after-free on an error path in AP
The TX status handler for DPP Authentication Confirm message might have
resulted in use-after-free if the start of a GAS query were to fail,
e.g., due to being somehow unable to transmit the initial request. Avoid
this by explicitly confirming that the authentication session was not
removed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 13:59:03 +02:00
Jouni Malinen
9456adeeba DPP3: Fix potential use-after-free on push button bootstrap info
When removing the bootstrap info for the PB context, all the possible
pointers to that information needs to be cleared to avoid accesses to
freed memory.

Fixes: 37bccfcab8 ("DPP3: Push button bootstrap mechanism")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-22 12:51:53 +02:00
Jouni Malinen
aa1aa289cd AP MLD: Optimize struct mld_link_info size
Use smaller variables when possible and reorder the variables to avoid
unnecessary padding. This drops struct mld_link_info size from 64 to 48
bytes and removes 240 bytes from struct sta_info.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 22:24:08 +02:00
Jouni Malinen
93eab9f0fa Mark hostapd_gen_probe_resp() static
This function has been used only within beacon.c and it got accidentally
converted to a global function.

Fixes: 6b5e00a80e ("AP: Use a struct for Probe Response generation in/out params")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 22:23:47 +02:00
Jouni Malinen
512b925240 AP MLD: Reduce struct mld_link_info size
Replace the fixed length maximum buffer size for STA profile with
dynamically allocated buffers for active links. This reduces struct
mld_link_info size by almost 16 kB and drops the per-STA information in
struct sta_info to a more reasonable size to avoid the almost 10x
increase from MLO support.

In addition, free the resp_sta_profile buffers as soon as the ML element
has bee generated for (Re)Association Response frame since those buffers
are not needed after that.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 21:59:11 +02:00
Jouni Malinen
b91572b308 AP MLD: Fix RADIUS deinit
The singleton RADIUS client design did not address the deinit path
properly. Since hapd->radius could be shared with another links, the
pointer on all those other links needs to be cleared before freeing the
RADIUS client context. Without this, deinit path could have ended trying
to use freed memory when clearing STA entries from other links and
trying to flush any pending RADIUS client messages.

Fixes: a213fee11d ("AP: MLO: Make IEEE 802.1X SM, authserv, and RADIUS client singletons")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 21:21:11 +02:00
Jouni Malinen
fa79e46c78 AP MLD: Use a helper function to set whether a STA is a non-AP MLD
This makes it easier to change the struct sta_info design for MLD by
reducing the number of direct references.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 19:08:08 +02:00
Jouni Malinen
6bda0aca8b AP MLD: Use a helper function to check if a STA is a non-AP MLD
This makes it easier to change the struct sta_info design for MLD by
reducing the number of direct references.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 19:08:08 +02:00
Jouni Malinen
ee9375fb3b tests: Association comeback mechanism in wpa_supplicant
Allow the Timeout Interval Type field in the Timeout Interval element to
be overridden with a different value for testing purposes to be able to
bypass the association comeback processing in mac80211. This allows the
wpa_supplicant internal functionality to be tested.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-21 12:17:23 +02:00
Dariusz Kopka
392114a179 FT: Add dynamic reload of RxKH definitions from file
hostapd reads the list of Rx Key Holders from hostapd.conf file.
However, for systems where topology changes dynamically, the update
of RxKHs list is required without reloading the whole configuration.

Introduce a new source of RxKH definition with original syntax:
- rxkh_file - Path to a file containing a list of RxKHs.

In addition, add a control interface command RELOAD_RXKHS to
reload RxKHs definition from the file specified in `rxkh_file`.

This allows hostapd to properly distribute Rx keys even after topology
change (assuming rxkh_file is updated and reload_rxkhs command issued).

Syntax of rxkh_file is the same as extraction of r0kh and r1kh options
from original hostapd.conf file.

```
r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
```

Signed-off-by: Dariusz Kopka <dariusz@plume.com>
2024-01-20 10:23:04 +02:00
Dariusz Kopka
e94a7d7940 FT: Move RxKH configuration clearing into a helper function
This can be used as a shared function for reloading RxKHs at runtime.

Signed-off-by: Dariusz Kopka <dariusz@plume.com>
2024-01-20 10:19:25 +02:00
Jouni Malinen
5ff6a2749b Remove the MLD specific exception for distinguishing EAPOL-Key msg 2 and 4
Now that we have a more advanced check for the differences within the
Key Data field, nonzero Key Data Length case can be determined to be
EAPOL-Key msg 4/4 if there is no RSNE in the Key Data field.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-16 22:05:02 +02:00
Jouni Malinen
4abc37e67b Support Key Data field decryption for EAPOL-Key msg 2/4 and 4/4
Extend RSN authenticator to be able to process EAPOL-Key msg 2/4 and 4/4
messages in cases where the Key Data field is encrypted using AES key
wrapping (i.e., non-AEAD cipher). While there is not yet any defined
case where such encryption would be used in IEEE Std 802.11-2020,
extensions are considered to be added to use such constructions (e.g.,
in IEEE P802.11bh). As such, it is good to extend the parsing and
processing rules in the authenticator to be ready for such
functionality.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-16 21:05:13 +02:00
Jouni Malinen
f7a903654f Extend mechanism to distinguish EAPOL-Key msg 2/4 from 4/4
The initial Authenticator implementation depended on the Key Data field
being empty for EAPOL-Key msg 4/4. This worked fine for years in
practice, but in theory, vendor specific elements or KDEs could have
been added inti EAPOL-Key msg 4/4 and that would have broken this
design. In addition, the MLD case did introduce a KDE into EAPOL-Key msg
4/4 and required changes here.

As an initial step to make this more robust for future extensions,
recognize a received EAPOL-Key message as msg 4/4 if it is for RSN
(i.e., not WPAv1), has Secure=1, contains an unencrypted Key Data field,
and does not include RSNE.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-16 15:52:34 +02:00
Jouni Malinen
3547ed403d Authenticator side testing functionality for EAPOL-Key Key Data field
Allow additional elements and KDEs to be added to EAPOL-Key msg 1/4 and
3/4 and allow EAPOL-Key msg 3/4 Key Data field to be not encrypted.
These are for testing purposes to enable a convenient mechanism for
testing supplicant behavior with either potential future extensions or
incorrect Authenticator behavior.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-16 13:04:59 +02:00
Jouni Malinen
38719f113e Verify center frequency seg0/seg1 mapping result before use
Handle the center frequency to channel mapping more cleanly by skipping
the cases where the center frequencies are not set and verifying that
the mapping succeeds when they are set.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-14 21:14:42 +02:00
Baligh Gasmi
acea0654f0 Initialize the variables before using it in channel update
seg0 and seg1 variables can have any initial value, but they may cause
the BSS to have a wrong configuration later on in cases where the
separate center frequencies are not set.

Signed-off-by: Baligh Gasmi <gasmibal@gmail.com>
2024-01-14 21:13:24 +02:00
Andrei Otcheretianski
abc239a0b0 Get rid of multiple MIN macros
There are multiple redundant MIN macro declarations, some of which are
not protecting against side effects. Move it to common.h instead.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-14 20:13:20 +02:00
Jouni Malinen
f9b3ecb0ad DPP: Work arouind missing Auth Confirm ACK for testing
The dpp_test DPP_TEST_STOP_AT_AUTH_CONF case is supposed to prevent the
GAS exchange from happening. It was possible to bypass that testing
functionality if the TX status event for the Authentication Confirm
message was lost or delayed long enough for the GAS Request to be
proessed first. This could happen at least with UML time travel.

Work around this by checking for the special dpp_test case within GAS
request handling.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-14 12:10:04 +02:00
Jouni Malinen
2d83d224ff Use ether_addr_equal() to compare whether two MAC addresses are equal
This was done with spatch using the following semantic patch and minor
manual edits to clean up coding style and avoid compiler warnings in
driver_wext.c:

@@
expression a,b;
@@
-	os_memcmp(a, b, ETH_ALEN) == 0
+	ether_addr_equal(a, b)

@@
expression a,b;
@@
-	os_memcmp(a, b, ETH_ALEN) != 0
+	!ether_addr_equal(a, b)

@@
expression a,b;
@@
-	!os_memcmp(a, b, ETH_ALEN)
+	ether_addr_equal(a, b)

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 23:47:21 +02:00
Andrei Otcheretianski
8e8964cdbd AP: Fix compilation warning in hapd_pasn_update_params()
If CONFIG_FILS isn't set, the compiler complains about unused variables.
Fix it.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-13 23:47:20 +02:00
Ilan Peer
cbcd056ece AP: Fix a typo in function name
Rename hostpad_dfs_update_background_chain() to
hostapd_dfs_update_background_chain().

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-13 23:47:20 +02:00
Ilan Peer
38711a011f AP MLD: Remove link stations on a new station authentication
When a station tries to authenticate to an AP that is affiliated with an
AP MLD, we need to remove all station instances from all the APs.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-13 22:29:21 +02:00
Ilan Peer
c6f519ff15 AP: Support deauthenticate/disassociate with MLD
When requested to deauthenticate/disassociate a station also handle the
corresponding MLD stations.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-13 22:29:19 +02:00
Ilan Peer
9c937c8891 AP: Move hostapd_ml_get_assoc_sta() to shared
So it could be used from different contexts.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-13 22:20:30 +02:00
Ilan Peer
ea401c168e AP MLD: Fix station lookup in hostapd_ml_get_assoc_sta()
If the station is not an MLO station do not attempt to find the
association station and return false in the ML specific disconnection
processing.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-13 22:17:21 +02:00
Ilan Peer
e9f75a3520 AP: Unify code handling deauthentication/disassociation
This avoids unnecessary code duplication and adds the sta->wpa_sm deinit
calls for deauthentication while it was previously done only in the
disassociation case.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-13 22:14:17 +02:00
Ilan Peer
2112f0572f AP MLD: Correctly set the BSS parameters change count in RNR
Set the current value instead of hardcoded 1.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-13 19:44:05 +02:00
Jouni Malinen
9ccfc0d516 AP MLD: MLD address conversion for hostapd_drv_send_action_addr3_ap()
Commit 31e025c033 ("AP: When sending Action frames, use the AP MLD MAC
address if needed") added this for hostapd_drv_send_action(), but the
A3=BSSID variant of that function needs similar changes for GAS to work
correctly with STAs that are currently associated with MLO.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 19:09:31 +02:00
Jouni Malinen
febb51bf87 AP MLD: Fix Association Response frame ACK handling
Invert the check on hapd->conf->mld_ap on the affiliated links to
actually call the link specific callback handler. This is needed to set
the STA associated.

Fixes: 55038680a6 ("AP: MLO: Handle association callback")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 19:09:31 +02:00
Jouni Malinen
07f44a7c42 AP MLD: Prefer STA entry that has sta->wpa_sm initialized
This is needed to allow RSN operations, like PTK rekeying, to be
completed on the correct STA entry. The previous design worked by
accident since it was using the WLAN_STA_ASSOC flag and the code that
was supposed to set that flag did not work correctly and left it unset
for the interfaces that were not used for the initial 4-way handshake.
That needs to be fixed, so this search need to be extended to be able to
prefer the STA entry that has sta->wpa_sm set instead of just the
WLAN_STA_ASSOC flag.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 19:09:31 +02:00
Jouni Malinen
064c233d1e AP: Fix a regression in indoor 6 GHz AP determination
The change to use a helper function for checking he_6ghz_reg_pwr_type
missed the difference between two types of checks for different values:
indoor AP vs. SP AP. Fix this by introducing another helper function to
cover the indoor (i.e., SP and non-SP indoor cases).

Fixes: 121ccadeb4 ("AP: A helper function for determining whether the AP is an SP AP")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-04 11:04:20 +02:00
Michael-CY Lee
98f3bd26de ACS: Extend the 320 MHz support
There are bandwidth 320 MHz-1 and 320 MHz-2 channelization in EHT mode.
When using ACS, user might prefer one of the channelization or both, but
original ACS was unable to take such preference.

Another problem is that the original ACS returns only the ideal channel
but no 320 MHz channelization. The function acs_get_bw_center_chan()
also could not correctly return the center frequency of bandwidth 320
MHz that is decided by ACS.

For example, if ACS decide the ideal channel is channel 37 with
channelization 320 MHz-2 (center frequency 6265 MHz),
acs_get_bw_center_chan() returns 6105 MHz, which is 320 MHz-1.

Extend the support for 320 MHz so that ACS can choose the best channel
according to the user's preference. Also, after calling
acs_find_ideal_chan_mode(), the best channel and bandwidth can be
derived.

The changes are:
- bw_type ACS_BW320 is divided into ACS_BW320_1 and ACS_BW320_2
- in bandwidth 320 MHz, find the best channel and bandwidth according to
  user's perference (320 MHz-1, 320 Mhz-2 or both are OK)
- before acs_find_ideal_chan_mode() returns, update bw320_offset in
  iface->conf so that the best channel's channelization is recorded.
- get the best center frequency from bw320_offset

Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2023-12-23 16:38:06 +02:00
Michael-CY Lee
e6f2494c3a hostapd: Add eht_bw320_offset configuration option
Introduce a new configuration option, "eht_bw320_offset", which enables
devices to specify a preferred channelization for 320 MHz BSSs when
using automatic channel selection (ACS). This option is applicable only
when the channel is not already decided and the bandwidth is set to 320
MHz.

The value and meaning of the option:
0: auto-detected by ACS
1: 320 MHz-1
2: 320 MHz-2

Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2023-12-23 16:38:06 +02:00
Michael-CY Lee
733de85680 ACS: Fix not selecting the best channel in the segment
Fix the following bugs about selecting the best channels in the segment:
1. If the 'update_best' once became false, it never becomes true again.
   In other word, if one of the channels in the segment is not usable,
   the remaining channels in the segment were never able to be the best
   channel.
2. The primary channel in the segment might not be usable due to the
   insufficient survey data. Therefore, it cannot be the best channel and
   we cannot take its factor/weight into account.

Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2023-12-23 15:28:50 +02:00
Michael-CY Lee
4881accbb4 ACS: Add HT40- support in the 2.4 GHz band
Allow ACS to pick a HT40- channel in the 2.4 GHz band in addition to the
previously hardcoded HT40+ case.

Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2023-12-23 15:16:57 +02:00
Jouni Malinen
121ccadeb4 AP: A helper function for determining whether the AP is an SP AP
Get rid of unnecessary code duplication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-22 20:57:53 +02:00
Jouni Malinen
24baffc8b6 AP: Share a common helper function for determining length of TPE elements
There is no need to maintain three copies of almost identical code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-22 20:54:40 +02:00
Ilan Peer
150ee0c068 AP: Add an additional TPE element when needed
If the regulatory client EIRP PSD values advertised by an AP that is a
standard power AP or indoor standard power AP are insufficient to ensure
that regulatory client limits on total EIRP are always met for all
transmission bandwidths within the bandwidth of the AP’s BSS, the AP
shall also send a TPE element in Beacon and Probe Response frames as
that depicts the regulatory client EIRP limit.

Add support for this.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 20:43:27 +02:00
Ilan Peer
3cbb3ac3fa AP: Add TPE element for Indoor standard power AP
According to IEEE P802.11-REVme/D4.0, E.2.7 (6 GHz band), two Transmit
Power Envelope (TPE) elements need to be included by Indoor Standard
Power (Indoor SP) APs. Extend the code to support this.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 18:22:04 +02:00
Andrei Otcheretianski
bcad7fec65 AP: Publish the correct PSD value in RNR TBTT information field
According to IEEE P802.11-REVme/D4.0, 9.4.2.169.2 (Neighbor AP
Information field), the 20 MHz PSD subfield in the TBTT Information
field is a signed value with valid range of -127 to +126, while +127
indicates "no maximum transmit power is specified". Fix the default
value advertised.

Fixes: 3db24e4eef ("RNR: Define element format")
Fixes: a7c152d6b8 ("RNR: Add data from neighbor database")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-22 18:20:28 +02:00
Ilan Peer
7065e5242a AP: Add configuration options for 6 GHz TPE Tx power
Add configuration options for setting the Tx Power value
in the Transmit Power Envelope for 6 GHz:

- The Tx power value for default client where the transmit
  power interpretation is "Regulatory Client EIRP PSD"
- The Tx power value for subordinate client where the transmit
  power interpretation is "Regulatory Client EIRP PSD"

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 18:06:49 +02:00
Ilan Peer
ada9083ac4 AP: Update the HE regulatory information AP types for the 6 GHz band
Update the HE regulatory information AP types based on IEEE
P802.11-REVme/D4.0. Set the default AP type to VLP. Check for valid
values when setting 'he_6ghz_reg_pwr_type' in the interface
configuration.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 17:57:26 +02:00
Ilan Peer
615835626f AP: Use the MLD MAC address for SAE authentication failures and testing
In cases of SAE failure and testing, mgmt->sa was used for sending the
Authentication frame. Fix these to use the station address (which is
the MLD MAC address in cases of non-AP MLDs).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 16:47:48 +02:00
Jouni Malinen
4a973718d4 Split hostapd_eid_rnr_iface() into two functions
Make this a bit more readable by moving the per-BSS processing into a
helper function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-22 16:17:20 +02:00
Ilan Peer
0b55b8da3c AP: Add testing option to indicate an AP is disabled
Add a testing configuration such that the AP would be reported as
disabled in the RNR TBTT information MLD parameters included by other
affiliated APs of the AP MLD.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 16:01:40 +02:00
Ilan Peer
409ebaaa1c AP: Support overriding EHT operation puncturing mask
Add support for overriding EHT Operation element puncturing mask
for testing purposes.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-22 14:19:28 +02:00
Andrei Otcheretianski
799115a8eb AP: Fix EHT MCS size validation for received element
STA EHT MCS and NSS set field size shouldn't depend on AP HE operation
channel width. Fix it.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-22 13:24:22 +02:00
Shiva Sankar Gajula
ee00bbd297 Support VLAN offload with SAE password based selection
Allow VLAN selection based on SAE password entries when VLAN offloading
is used.

Signed-off-by: Shiva Sankar Gajula <quic_sgajula@quicinc.com>
2023-12-21 20:12:18 +02:00
Jouni Malinen
09d57e5f89 MBSSID: Element ID values in increasing order in Non-Inheritance element
Reorder the Element ID List to fill in the values in increasing order to
match the way the Element ID List is defined.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-21 13:22:03 +02:00
Aditya Kumar Singh
c8dd70cfb1 Fix Multiple BSSID element length calculation
Currently while deciding to create a new Multiple BSSID element based on
the condition when the length reaches 255, the length value being used
is the total element length (including the length of the Element ID and
Length fields as well). However, the value in the length field denotes
the number of octets following it and excluding itself. Hence including
the total length is wrong. This leads to incorrect count of Multiple
BSSID elements.

And while filling the data, the length is considered porperly as it
should be hence we are filling more data in a single go and all data is
filled in MBSSID count which is less than originally calculated. This
ultimately leads to incorrect length calculation during nla_put() and
setting the beacon to the driver fails while putting the Multiple BSSID
element data into the netlink socket buffer.

Fix this issue by considering the length excluding the Element ID and
Length field sizes.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2023-12-21 12:50:27 +02:00
Sai Pratyusha Magam
618df655ae Use sta->vlan_id when needed for VLAN offload
Share VLAN info in RRB when the driver advertises support for VLAN
offload (WPA_DRIVER_FLAGS_VLAN_OFFLOAD). sta->vlan_desc is unused in
this case, only sta->vlan_id is used. Skip the checks that are based on
sta->vlan_desc.

Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
2023-12-21 12:24:35 +02:00
Jouni Malinen
38a5ed5fda AP MLD: Skip unknown Multi-Link element subelements
Instead of rejecting the Multi-Link element, skip unknown subelements to
be less likely to cause interop issues for future. IEEE P802.11be/D5.0
allows other optional subelements to be included here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 21:53:52 +02:00
Jouni Malinen
2ab56694f6 Split ap_sta_set_authorized() into two steps
This function is both updating the hostapd-internal sta->flags value and
sending out the AP-STA-CONNECTED control interface message. When
authorizing a STA, the call to this function is followed by a driver
command to update the flags of the STA entry in the driver. That has a
race condition at least for UML time-travel since the AP-STA-CONNECTED
event is used as a message to wait for before running a connectivity
test or some other operation that depends on the data connection being
in working condition.

Split the function into two steps so that the driver STA entry update
can be done between those two steps for the cases where it matters for
the race condition. In other words, send the AP-STA-CONNECTED message
only after having authorized the STA in the driver.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 14:09:57 +02:00
Jouni Malinen
da8a38fecb Remove unused assignment from Country element generation
This looks confusing and can cause warnings from static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 12:17:43 +02:00
Jouni Malinen
656cf50d8b More consistent sta pointer checks in handle_assoc()
Verify that sta is not NULL before calling
hostapd_process_assoc_ml_info() that references this parameter. In
theory, sta might be NULL here if addition of the STA entry failed in
the 60 GHz case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 00:12:59 +02:00
Jouni Malinen
29f38ebcf6 ACS: Check whether iface->current_mode is NULL before use
This line seemed to trigger SIGSEGV in some code coverage testing cases.
It is not exactly clear how that was possible, but just in case, check
that iface->current_mode is set before using it here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 00:02:43 +02:00
Jouni Malinen
7a873c81ee AP MLD: Do not schedule disconnection on BSS TM Request link removal
If the BSS TM Request for imminent BSS temoval is for a non-AP MLD that
has multiple affiliated links, do not schedule full disconnection since
other links remain associated.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-16 19:46:41 +02:00
Ilan Peer
ec70d14f7c AP: MLD: Extend BSS transition management request for link removal
Allow link removal imminent indication to be added with the new
link_removal_imminent=1 parameter to BSS_TM_REQ.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-16 19:46:41 +02:00
Ilan Peer
31e025c033 AP: When sending Action frames, use the AP MLD MAC address if needed
When the AP MLD sends an Action frame to a non-AP MLD, use the AP MLD
MAC address instead of the local AP address (BSSID).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-16 18:54:39 +02:00
Ilan Peer
54e6c56d25 AP: Use AP MLD MAC address for terminating MLO association
Use the AP MLD MAC address when sending Deauthentication and
Disassociation frames to a non-AP MLD.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-16 18:49:56 +02:00
Ilan Peer
0546f0e1b0 WNM: Use correct address when configured as AP MLD
When the AP is configured to operate as an AP MLD, use the AP MLD MAC
address when needed for transmission of WNM Action frames.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-16 18:43:18 +02:00
Ilan Peer
d43a49a66d Remove a spurious tab in hostapd_eid_rnr()
Remove a spurious \tab char in hostapd_eid_rnr() between arguments to a
function.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-16 17:58:33 +02:00
Ilan Peer
a28ea8e517 AP: Fix setting MLD Parameters subfield in RNR element
In case the TBTT information is reporting about an AP in the same AP MLD
as the current AP, the AP MLD ID in the MLD Parameters subfield should
be set to 0.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-16 17:56:42 +02:00