freq_list is built in allocated heap memory and it needs to be freed
before returning from this function.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Clean up do_acs interface to not pass ch_list to drivers as the same
information is available in freq_list. The channel numbers are
duplicated between 2.4 GHz and 5 GHz bands and the 6 GHz band. So, use
the QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST to populate only 2.4 GHz and 5 GHz
channels to ensure backwards compatibility with old drivers which do not
have support to decode the newer QCA_WLAN_VENDOR_ATTR_ACS_FREQ_LIST
attribute.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Skip DFS checks and CAC operation for 6 GHz channels. AFC checks
will be added for 6 GHz channels later.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
HT capability check is not required when starting AP on 6 GHz band as
only HE operation mode is allowed in the 6 GHz band.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This extends hostapd and wpa_supplicant DPP implementation to allow the
bootstrapping URI to be generated for and parsed from an NFC Tag with an
NFC URI Record. This is similar to the way the bootstrapping URI is used
with QR Code for unidirectional authentication.
The DPP_BOOTSTRAP_GEN command uses "type=nfc-uri" to request the URI to
be assigned for NFC URI Record. In practice, the URI is generated
identically to the QR Code case, but the internal entry maintains the
NFC-URI type.
A new command "DPP_NFC_URI <uri>" can now be used to parse the URI read
from an NFC Tag with the NFC URI Record. This is similar to the
DPP_QR_CODE command.
Other commands (mainly, DPP_LISTEN and DPP_AUTH_INIT) are used for NFC
URI in the same way as they are used for QR Code.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Commit 844dfeb804 ("QCA vendor command support to set band to driver")
added a vendor command to pass 'SET setband' command information to the
driver in wpa_supplicant. Add similar changes to hostapd control
interface.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Previously, nonzero sae_h2e parameter values were used to perform SAE
H2E specific operations (deriving PT, adding RSNXE, adding H2E-only BSS
membership selector) in AP mode even if SAE was not enabled for the
network. This could result in unexpected behavior if sae_pwe=1 or
sae_pwe=2 were set in the configuration. Fix this by making the SAE
operations conditional on SAE being actually enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This allows Configurator to be configured to use the ssid64 option in
the discovery object for a station Enrollee.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The discovery object is now allowed to use either the UTF-8 encoded
string ssid or base64url encoded ssid64.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Allow any pointer to be used as source for encoding and use char * as
the return value from encoding and input value for decoding to reduce
number of type casts needed in the callers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
There is no use case for adding padding into the base64url encoded
strings, so remove the unneeded add_pad argument that was hardcoded to 0
in all callers.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The UTF-8 encoded ssid string was replaced with base64url encoded ssid64
string, so update the implementation to match.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The WMM TSPEC processor used the input buffer for processing the request
and building the response. This was fine for the FT case, but for the
WMM Action frame case, the input buffer is marked const, so it should
not really be modified. This modification could not really cause any
noticeable harm, but it can result in error reports from fuzzing and
potentially even from some static analyzers.
Fix this by marking the input arguments const more consistently (the
parsed IE was able to drop the const) and copy the const input data to a
temporary buffer for processing and modification instead of allowing the
input data to be modified.
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19050
Signed-off-by: Jouni Malinen <j@w1.fi>
Commit 947b5a1532 ("P2P: Stop listen state if Action frame TX is
needed on another channel") added an optimization for P2P response
transmission in certain concurrent operation cases. However, it did not
take into account possibility of the driver not being in listen
state (p2p->drv_in_listen == 0) and could end up getting stuck with the
P2P state machine in a manner that made the device not listen for
following messages. This showed up in following manner in the debug log:
P2P: Starting short listen state (state=SEARCH)
P2P: Driver ended Listen state (freq=2437)
process received frame and send a response
P2P: Stop listen on 0 MHz to allow a frame to be sent immediately on 2437 MHz
P2P: Clear timeout (state=SEARCH)
--> state machine stuck
Fix this by adding drv_in_listen > 0 condition for the optimization to
stop the listen operation in send_action() resulting in scheduled TX.
Fixes: 947b5a1532 ("P2P: Stop listen state if Action frame TX is needed on another channel")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Update center frequency and center frequency2's DFS channel status in
VHT80+80 mode. Otherwise it will cause AP failed to start on a DFS
channel.
Tested: qca9984 with firmware ver 10.4-3.10-00047
Signed-off-by: Rick Wu <rwu@codeaurora.org>
Signed-off-by: Lei Wang <leiwa@codeaurora.org>
wpa_validate_wpa_ie() was already extended to cover these cases with
WPA_INVALID_PMKID return value, but hostapd_notif_assoc() did not have
code for mapping this into the appropriate status code
(STATUS_INVALID_PMKID) and ended up using the default
(WLAN_STATUS_INVALID_IE) instead. This caused AP SME-in-driver cases
returning incorrect status code when the AP did not have a matching
PMKSA cache entry. This could result in unexpected station behavior
where the station could continue trying to use a PMKSA cache entry that
the AP does not have and not being able to recover this.
Fix this by adding the previously missed mapping of validation errors to
status/reason codes.
Fixes: 567da5bbd0 ("DPP: Add new AKM")
Fixes: 458d8984de ("SAE: Reject request with mismatching PMKID (no PMKSA cache entry)")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This array can be freed either from the scan parameters or from
clearing the MAC address randomization parameters from the
wpa_supplicant struct. To make this ownership more clear, we have
each struct own its own copy of the parameters.
Signed-off-by: Eric Caruso <ejcaruso@chromium.org>
The "\\u%04x" printf string did not really work in the correct way if
char is signed. Fix this by type casting this to unsigned char.
Signed-off-by: Jouni Malinen <j@w1.fi>
SUITE_B_192 AKM capability was indicated for all devices using the
nl80211 driver (without the QCA vendor specific AKM capability
indication). However, some devices can't handle Suite B 192 due to
insufficient ciphers supported. Add a check for CCMP-256 or GCMP-256
cipher support and only indicate SUITE_B_192 capability when such cipher
is supported. This allows compiling with CONFIG_SUITEB192 and still get
proper response to the 'GET_CAPABILITY key_mgmt' command. Under Android
it can also serve as a dynamic way for HAL to query platform for
WPA3-Enterprise 192-bit support.
Signed-off-by: Mikael Kanstrup <mikael.kanstrup@sony.com>
Addi STA node details in AP through QCA vendor subcommand
QCA_NL80211_VENDOR_SUBCMD_ADD_STA_NODE vendor when processing FT
protocol roaming.
Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
To config BT coex chain mode, add a new QCA sub command
QCA_NL80211_VENDOR_SUBCMD_BTC_CHAIN_MODE.
This new command has two attributes:
1. QCA_VENDOR_ATTR_COEX_BTC_CHAIN_MODE: u32 attribute. Indicates the
BT coex chain mode, are 32-bit values from enum qca_btc_chain_mode.
2. QCA_VENDOR_ATTR_COEX_BTC_CHAIN_MODE_RESTART: flag attribute.
If set, vdev should be restarted once BT coex chain mode is updated.
Signed-off-by: Yu Wang <yyuwang@codeaurora.org>
The QCA_NL80211_VENDOR_SUBCMD_OEM_DATA command was previously defined
only to pass data blobs from user space to kernel (application to
firmware) but there was no mechanism to send the data blobs from
firmware to application. Extend this to define use of the same
subcommand and attributes as vendor events.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If hostapd had existing STA SAE state, e.g., from a previously completed
SAE authentication, a new start of a separate SAE authentication (i.e.,
receiving of a new SAE commit) ended up using some of the previous
state. This is problematic for determining whether to H2E vs. looping
since the STA is allowed (even if not really expected to) to change
between these two alternatives. This could result in trying to use H2E
when STA was using looping to derive PWE and that would result in SAE
confirm failing.
Fix this by determining whether to use H2E or looping for the restarted
authentication based on the Status Code in the new SAE commit message
instead of previously cached state information.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This wrapper function is not used anymore, so drop it instead of trying
to figure out good way of implementing it in constant time with various
crypto libraries.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Remove support for performing full sqrt(), i.e., only support curves
that use prime with p = 3 mod 4. In practice, this drops only group 26
with SAE H2E. This seems acceptable since there does not seem to be any
strong use case for that group taken into account the limits being
placed on acceptable prime lengths.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
The IE minimum length determination in hostapd_eid_ext_capab() was not
fully up to date with the hostapd_ext_capab_byte() conditions. This
could result in omitting some of the capability octets depending on
configuration. Fix this by adding the missing conditions.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If there are no post-provision discovery operations, we should continue
in find mode to avoid getting the p2p_find operation stopped (stuck in
SEARCH state) unexpectedly.
Signed-off-by: Jimmy Chen <jimmycmchen@google.com>
Protect RSNXE, if present, in FT Reassociation Request/Response frames.
This is needed for SAE H2E with FT.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Use a single struct definition and a single shared implementation for
parsing EAPOL-Key KDEs and IEs instead of maintaining more or less
identical functionality separately for wpa_supplicant and hostapd.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If a STA indicates support for SAE H2E in RSNXE and H2E is enabled in
the AP configuration, require H2E to be used.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
If the STA advertises RSN Extension element, it has to be advertised
consistently in the unprotected ((Re)Association Request) and protected
(EAPOL-Key msg 2/4) frames. Verify that this is the case.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This is needed to be able to compare the received RSNXE to a protected
version in EAPOL-Key msg 2/4.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add the new RSNXE into (Re)Association Request frames and EAPOL-Key msg
2/4 when using SAE with hash-to-element mechanism enabled. This allows
the AP to verify that there was no downgrade attack when both PWE
derivation mechanisms are enabled.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Add a QCA vendor subcommand QCA_NL80211_VENDOR_SUBCMD_ADD_STA_NODE with
attributes qca_wlan_vendor_attr_add_sta_node_params to add STA peer
entries in AP mode. This vendor sub command is used in FT roaming
scenario to send STA node information from application/service to
driver/firmware. The attributes defined in enum
qca_wlan_vendor_attr_add_sta_node_params are used to deliver the
parameters.
Signed-off-by: Shiva Sankar Gajula <sgajula@codeaurora.org>
The OEM data binary blobs from application/service will be routed to the
appropriate device based on this attribute value. This optional
attribute is used to specify whether the device type is virtual or
physical. This attribute can be omitted when the command is for a
virtual device.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Some chipsets don't have the capability to run agile spectral scan with
160/80+80 MHz modes. Add separate agile spectral scanning capability
flags for 160, 80+80, and non-160 MHz modes to cover such cases.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>