There are two hw modes (5 GHz and 6 GHz) with HOSTAPD_MODE_IEEE80211A
and the current hw mode may be wrong after one channel switch to 6 GHz.
This will cause hostapd_set_freq_params() to return -1 when saving
previous state and the second channel switch to fail. Fix this by adding
hostapd_determine_mode() before every channel switch.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is needed to match the key configuration design with a single
netdev and the nl80211 driver interface.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
In case of MLO AP and legacy client, make sure received EAPOL frames are
processed on the correct BSS.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case of MLO AP and legacy client, make sure Management frame TX
status is processed on the correct BSS.
Since there's only one instance of i802_bss for all BSSs in an AP MLD in
the nl80211 driver interface, the link ID is needed to forward the
status to the correct BSS. Store the link ID when transmitting
Managements frames and report it in TX status.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case of MLO AP and legacy client, make sure EAPOL TX status is
processed on the correct BSS.
Since there's only one instance of i802_bss for all BSSs in an AP MLD in
the nl80211 driver interface, the link ID is needed to forward the EAPOL
TX status to the correct BSS. Store the link ID when transmitting EAPOL
frames over control interface and report it in TX status.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Only the main link handles SAE authentication and OWE, skip them on
other links.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
MLO associations use the MLD address instead of the MAC address in SAE
derivation.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
If the AP is part of an AP MLD specify the link ID in the set_key
parameters whenever setting a group key.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This provides the link specific group keys and last used PN/IPN/BIPN
values to the Supplicant in the MLO KDEs instead of the KDEs used for
non-MLO cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Verify that the MLD address in EAPOL-Key msg 4/4 is set correctly for
MLO cases. Note that the mechanism used here for distinguishing between
EAPOL-Key msg 2/4 and 4/4 is not exactly ideal and should be improved in
the future.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This provides the link specific group keys and last used PN/IPN/BIPN
values to the Supplicant in the MLO KDEs instead of the KDEs used for
non-MLO cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Allow RSN authenticator to fetch the current group key information with
the keys and the last used PN/IPN/BIPN for MLO specific KDEs.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Verify that the affiliated link information matches between association
(unprotected) and 4-way handshake (protected).
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Make the MLO related information available for the RSN Authenticator
state machine to be able to perform steps needed on an AP MLD. The
actual use of this information will be in the following commits.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
EAPOL frames may need to be transmitted from the link address and not
MLD address. For example, in case of authentication between AP MLD and
legacy STA. Add link_id parameter to EAPOL send APIs.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This allows proper TX status handling when MLD addressing is used for
Management frames. Note, that the statuses are still not forwarded to
the correct link BSS. This will be handled in later commits.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This is needed for the driver to know on which link it should transmit
the frames in MLO cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Get rid of the duplicated code for setting IEEE 802.1X port
authorization for MLD and non-MLD cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Handle IEEE 802.1X port authorization in the context of MLO.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When a non-AP MLD is deauthenticated/disassociated from an MLD AP, make
sure to clean up its state from all links.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This is a step towards handling of deauthentication/disassociation from
an MLD AP.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Handle association request callback in the context of MLO.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add the full station profile to the Multi-Link element in the
(Re)Association Response frame. In addition, use the AP MLD's MLD MAC
address as SA/BSSID once the non-AP MLD has been added to the driver to
use address translation in the driver.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Implement processing of the Multi-Link element in the (Re)Association
Request frame, including processing of the Per-STA Profile subelement.
After handling the basic parsing of the element and extracting the
information about the requested links, handle the link specific
processing for each link:
- Find the interface with the corresponding link ID.
- Process the station profile in the interface.
- Prepare the Per-STA Profile subelement to be included in the
Multi-Link element in the (Re)Association Response frame.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Find an AID that is unused on all the affiliated links when assigning an
AID to a non-AP MLD.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case the AP is an AP MLD, parse the Multi-Link element from the
Authentication frame, store the relevant information, and prepare the
response Multi-Link element.
If the AP is not an AP MLD or the parsing of the element fails, continue
the authentication flow without MLD support.
For SAE, it is needed to skip various fixed fields in
the Authentication frame. Implement it for SAE with H2E.
TODO: This should be extended to other authentication algorithms which
are allowed for MLD connections and have fixed fields in the
Authentication frames, according to IEEE P802.11-REVme/D3.0, Table 9-69
(Presence of fields and elements in Authentications frames).
This commit doesn't support FILS, FT, etc.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Define a struct to hold MLD station info and implement publishing of the
Basic Multi-Link element. Add it into Beacon and Probe Response frames.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Once a station is added to the underlying driver, the driver is expected
to do address translation and use MLD addresses. Thus, when handling a
received Management frame, match it against the MLD address.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
To simplify the handling of MLD stations, assume that all
interfaces/BSSs use the same IEEE 802.1X authenticator, the same RADIUS
server instance, and the same RADIUS client.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
- Include RNR element in Beacon frames of AP MLDs.
- Whenever a new interface is added to an AP MLD, reconfigure
the Beacon frame templates for all other interfaces, to allow
updating their RNR elements.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This includes:
- Modifications of the driver API, to include the link ID as part
of 'struct hostapd_freq_params'.
- Modifications to nl80211 driver.
- Modifications for the driver wrappers.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
To be used in later patches, e.g., for link tracking etc.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add support for including multiple hostapd interfaces in the same AP
MLD, i.e., all using the same underlying driver network interface.
To do so, when a new hostapd interface is added, if there is already
another interface using the same underlying network interface, associate
the new interface with the same private data object, instead of creating
a new one.
As some of the BSSs are non-first BSSs, meaning that they reuse the
drv_priv of the initial BSS, make sure not to double free it.
Currently multiple BSS entries are not supported so always use bss[0]
for MLD.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
AP cannot come up in channels that are marked as NO_IR. If AP moves to
HAPD_IFACE_DISABLED state, it will deinitialize the nl80211 driver
interface and sockets.
Hence, introduce a new state called HAPD_IFACE_NO_IR, for 6 GHz APs to
handle NO_IR scenarios, such as AFC, where the channels not allowed by
AFC will have HOSTAPD_CHAN_NO_IR flag set. In this state, AP is still
kept in a non-operational state (stopped) without deinitializing the
nl80211 driver interface. wiphy reg change event can then update the
channels and bring up the AP in a valid channel.
Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Per IEEE P802.11az/D7.0, 12.12.3.2 (PASN Frame Construction and
Processing), responder should REFUSE PASN authentication frame 1 with
Base AKM as PASN AKM if dot11NoAuthPASNActivated is false. That
configuration was not previously available and hostapd was hardcoded
with dot11NoAuthPASNActivated being true.
Allow this to be configured and reject PASN authentication frame 1 from
initiator if pasn_noauth=0 and Base AKM in RSNE of this frame is PASN.
The default value for pasn_noauth is 1 to maintain previous
functionality even though the dot11NoAuthPASNActivated is defined to
have default value of false.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Setting 4addr mode on fronthaul BSS breaks WPS association on backhaul
STA which is still on 3addr mode.
Fix the interop issue by not setting 4addr mode on fronthaul BSS with
WPS instead of setting by default for multi-ap case.
Fronthaul BSS for non-WPS STA shall continue to use 4addr mode.
Signed-off-by: Sathishkumar Muruganandam <quic_murugana@quicinc.com>
The parameter req_pmk_r1_name was not used at all in the function
wpa_ft_local_derive_pmk_r1(). In addition, the PMK-R1-NAME should be
updated in this function along with the PMK-R1. This means the parameter
should change from "req_pmk_r1_name" to "out_pmk_r1_name" to match the
design used for other paths that derive the PMK-R1.
sm->pmk_r1_name needs to be properly updated when pmk_r1_name is derived
from the local pmk_r0.
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Prune-associations should be done only after the new station is
authorized. Otherwise any STA can cause denial of service to connected
stations in PMF case when more than a single interface is being
controlled by the same hostapd process.
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Some station devices are apparently sending the EAPOL-Logoff message in
some cases before the initial authentication for WPA2/WPA3-Enterprise.
hostapd would have forced a "post EAP-Failure" disconnection in 10 ms
for such cases while still allowing the EAP authentication to try to
complete.
This is not ideal and could result in interoperability issues, so skip
the forced disconnection in the particular case where the EAPOL-Logoff
message is received before the first authentication is completed.
In addition, disconnect the STA without starting new EAP authentication
and the 10 ms delay if an EAPOL-Logoff message is received after
authentication has been completed successfully. This results in cleaner
behavior by avoiding the extra start of a new EAP authentication in a
case where the STA is going to be disconnected shortly.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Some of the information elements added in IEEE Std 802.11ax-2013 for VHT
purposes have since then been taken into use for other cases and renamed
to remove the "VHT" prefix in the standard. Update the defines for those
elements in the implementation to match the names used in the current
standard.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add validatation of center frequency, and filling of appropriate
bandwidth in the channel switch wrapper when the channel switch is done
to a 320 MHz channel.
Signed-off-by: Ramya Gnanasekar <quic_rgnanase@quicinc.com>
The execute bits were not supposed to be added to a source code file.
Fixes: 927dbfb453 ("Fix 40 MHz channel bringup with ACS on the 6 GHz band")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Use the op_class configuration to determine whether to select the 5 GHz
or 6 GHz mode for ACS. Without this, the first mode (5 GHz in most
cases) would have been selected regardless of the op_class value.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When AP is brought up in HE40/EHT40 with ACS, the AP comes up with 20
MHz bandwidth. It is expected to come up with 40 MHz bandwidth.
conf->secondary_channel does not hold the correct value and it leads to
choosing 20 MHz in hostapd_set_freq_params(). conf->secondary_channel is
filled using the hostapd config he_oper_centr_freq_seg0_idx. When AP is
configured to use ACS, the hostapd config he_oper_centr_freq_seg0_idx is
not valid as the channel is not known during bring up. So using the
config he_oper_centr_freq_seg0_idx to fill the conf->secondary_channel
does not work with ACS.
Use op_class to determine the bandwidth and based on the bandwidth fill
the conf->secondary_channel to address this ACS case.
Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
When 6 GHz band is specified and hw_mode parameter is set to any,
hostapd_determine_mode() may determine the wrong mode because there are
two hw modes (5 GHz and 6 GHz) with HOSTAPD_MODE_IEEE80211A. This will
cause 6 GHz AP to fail to start. Fix this by adding a check similar to
the changes in commit 99cd453720 ("hw_feature: Correctly select mode
in case of the 6 GHz band") into hostapd_determine_mode().
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
hostapd start AP flow changed in commit 931e5d4f9e. However, that
could cause a regression in a legacy AP driver where the set key
operation for GTK, IGTK, and BIGTK before AP start (set beacon) would
cause the driver to ignore the key set command. Restore the flow of the
set beacon and WPA key init operations to make sure drivers can receive
and set group keys correctly.
Fixes: 931e5d4f9e ("mbssid: Configure all BSSes before beacon setup")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support to configure the allowed frequency list for AP operation
using a QCA vendor interface before NL80211_CMD_NEW_BEACON/
NL80211_CMD_START_AP. hostapd generates the allowed frequency list by
intersecting user configured frequency list and all the frequencies
advertised by the driver including disabled channels. If user doesn't
specify allowed frequency list, all the frequencies advertised by the
driver, including disabled channels, will be configured.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
As per IEEE Std 802.11ax-2021, 11.1.3.8.3 Discovery of
a nontransmitted BSSID profile, an EMA AP that transmits a Beacon
frame carrying a partial list of nontransmitted BSSID profiles
should include in the frame a Reduced Neighbor Report element
carrying information for at least the nontransmitted BSSIDs that
are not present in the Multiple BSSID element carried in that frame.
Add this support by splitting the reduced neighbor report (RNR) in as
many elements as the number of multiple BSSID elements. Each RNR element
excludes the non-transmitting profiles already included in the MBSSID
element at the same index. If present, the last additional group will
have the data common for all EMA beacons such as neighbor AP information
gathered through neighbor reports.
The hwsim test case he_ap_ema demonstrates this support.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Do not include interfaces on the same radio in reduced neighbor
report elements (RNR) as multiple BSSID elements from the same
management frame already include these if MBSSID feature is enabled.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
center_idx_to_bw_6ghz() does not return the bandwidth in MHz and as
such, the check here against 20 (MHz) is never true. The returned value
is greater than 0 for the over 20 MHz cases.
Fixes: 15742566fd ("6 GHz: Fix operating class in Supported Operating Classes element")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a new option 'punct_acs_threshold' where the value indicates
the percentage of ideal channel average interference factor above
which a channel should be punctured. Default is set to 0 which disables
the puncturing for ACS.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Retrieve the puncturing bitmap sent by the driver in channel switch
events and add a new member punct_bitmap in struct ch_switch to store
it.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Send the user configured puncturing bitmap to the driver.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Add preamble puncturing bitmap to the EHT Operation element as per IEEE
P802.11be/D3.0, Figure 9-1002c (EHT Operation Information field format).
Bits set to 1 indicate that the subchannel is punctured, otherwise
active.
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Balamurugan Mahalingam <quic_bmahalin@quicinc.com>
Legacy modes (VHT, HE) should advertise downgraded bandwidth if
RU puncturing is enabled in EHT mode. This is required for the legacy
stations which cannot parse the EHT Operation elements hence do not
support EHT RU puncturing.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Ramanathan Choodamani <quic_rchoodam@quicinc.com>
Add a new option to configure the disabled subchannel bitmap as per
IEEE P802.11be/D3.0, Figure 9-1002c (EHT Operation Information
field format).
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Maximum NSS calculation assumed the host to be little endian while
retrieving MCS values from HE capabilities which is incorrect. Use
WPA_GET_LE16() instead.
Add a check for HE as the current NSS calculation assumes HE support.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
FILS discovery frame generation currently assumes HE support for
calculating the number of spatial streams. Add a check to reject
the configuration if the feature is enabled without enabling HE.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Once ACS picks a channel, iface->freq and iface->conf->channel are
updated. So, AP comes up in the last operating channel when 'ENABLED'
after 'DISABLED' though ACS is configured.
But this will fail for 6 GHz APs since configured_fixed_chan_to_freq()
checks if iface->conf->channel is filled or not irrespective of ACS
configuration, and the checks inside configured_fixed_chan_to_freq()
fail the AP setup. Fix this by clearing iface->freq and
iface->conf->channel in AP setup for ACS configuration.
Fixes: bb781c763f ("AP: Populate iface->freq before starting AP")
Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
As a preparation to use AP MLD address and non-AP MLD address
in the RSN Authenticator state machine, add utility functions to
get the current AA and SPA.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
As a preparation for processing an association request with
ML element, split the function such that the elements checking
would be separate from parsing.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Multi link stations are represented in the kernel using a single
station with multiple links and the first ADD_STA command also
creates the first link. Subsequent links should be added with
LINK_ADD commands.
Implement this logic and provide the required MLD information per
station/link.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
"multicast_to_unicast" and "hairpin_mode" are usually set outside of
hostapd. However, DFS channel change events pull the BSS out of the
bridge causing these attributes to be lost. Make these settings tunable
within hostapd so they are retained after the BSS is brought up again.
Signed-off-by: Anthony Refuerzo <anthony96922@gmail.com>
Add the country_code and country3 config parameter to the STATUS output
to easier determine the current values for each of an hostapd
access point. Currently neither STATUS, GET [country_code/country3] nor
GET_CONFIG output it.
This is useful if the hostapd access point has been created with
wpa_ctrl_request() without using a *.conf file (like hostapd.conf).
Signed-off-by: Antonio Prcela <antonio.prcela@gmail.com>
Signed-off-by: Antonio Prcela <antonio.prcela@sartura.hr>
PTKSA was stored for the 4-way handshake and FILS cases, but not when it
was being derived through the use of the FT protocol.
Fixes: f2f8e4f458 ("Add PTKSA cache to hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This function is not used outside wpa_auth.c and it is not mentioned in
any header file either, so it should have been marked static.
Fixes: f2f8e4f458 ("Add PTKSA cache to hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
FT AP was silently ignoring EAPOL-Key msg 2/4 due to Key MIC mismatch
when the STA advertises support for Secure LTF and derives the KDK while
the AP implementation did not derive KDK.
Fix this to include KDK while deriving PTK for FT cases on the AP.
Signed-off-by: Shiva Sankar Gajula <quic_sgajula@quicinc.com>
Add support for WNM event report handling for the BSS color collision
and in use events.
Co-developed-by: Ryder Lee <ryder.lee@mediatek.com>
Signed-off-by: Yi-Chia Hsieh <yi-chia.hsieh@mediatek.com>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Adding the hw_mode config parameter to the STATUS output to easier
determine the current hw_mode of an hostapd access-point. Currently
neither STATUS, GET hw_mode, nor GET_CONFIG output it.
Useful if the hostapd access point has been created with
wpa_ctrl_request() without using a *.conf file, like hostapd.conf.
Signed-off-by: Antonio Prcela <antonio.prcela@gmail.com>
Signed-off-by: Antonio Prcela <antonio.prcela@sartura.hr>
Change Probe Response frames to be sent as broadcast for 6 GHz band per
IEEE Std 802.11ax‐2021, 26.17.2.3.2: "If a 6 GHz AP receives a Probe
Request frame and responds with a Probe Response frame (per 11.1.4.3.4),
the Address 1 field of the Probe Response frame shall be set to the
broadcast address, unless the AP is not indicating its actual SSID in
the SSID element of its Beacon frames."
Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
hostapd was previously storing the derived PMK-R0 and PMK-R1 as soon as
these keys were derived. While that is fine for most purposes, it is
unnecessary to do that so quickly and if anything were to fail before
the supplicant is able to return a valid EAPOL-Key msg 2/4, there would
not really be any real use for the derived keys.
For the special case of FT-PSK and VLAN determination based on the
wpa_psk file, the VLAN information is set in the per-STA data structures
only after the EAPOL-Key msg 2/4 MIC has been verified. This ended up
storing the PMK-R0/PMK-R1 entries without correct VLAN assignment and as
such, any use of the FT protocol would not be able to transfer the VLAN
information through RRB.
Split local storing of the FT key hierarchy for the cases using the FT
4-way handshake so that PMK-R0 and PMK-R1 are first derived and then
stored as a separate step after having verified the MIC in the EAPOL-Key
msg 2/4 (i.e., after having confirmed the per-STA passphrase/PSK was
selected) and VLAN update. This fixes VLAN information for the
wpa_psk_file cases with FT-PSK.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The initial MACsec implementation required the EAP Session-Id to be at
least 65 octets long and by truncating the value to that length, the
practical limit of functional cases was limited to that exact length of
65 octets. While that happens to work with EAP method that use TLS, it
does not work with most other EAP methods.
Remove the EAP Session-Id length constraint and allow any length of the
Session-Id as long as the EAP method provides one. In addition, simplify
this be removing the unnecessary copying of the Session Id into a new
allocated buffer.
Fixes: dd10abccc8 ("MACsec: wpa_supplicant integration")
Fixes: a93b369c17 ("macsec: Support IEEE 802.1X(EAP)/PSK MACsec Key Agreement in hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The received Service Discovery Response frame follows the ap_mgmt_rx()
path in P2P GO mode. If gas_query_rx_frame() doesn't process the frame,
call the Public Action frame callbacks if any are registered for further
processing of the RX frame.
Fixes: 9c2b8204e6 ("DPP: Integration for hostapd")
Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
When I was testing dpp_auth_init on an AP with Enrollee on a different
channel from the AP I was getting failures. This happened on hwsim in
UML with time-travel for me. I don't recall seeing this with real
devices, presumably because of lax offchan implementation.
The DPP authentication would succeed. However the station would then try
to get configuration through a GAS request and fail.
The AP reported the following logs (grepped):
> 1614762426.860212: RX_ACTION category 4 action 10 sa 02:00:00:00:01:00 da 02:00:00:00:00:00 len 227 freq 2412
> 1614762426.860212: wlan0: GAS: GAS Initial Request from 02:00:00:00:01:00 (dialog token 239)
> 1614762426.860233: DPP: Wait for Configuration Result
> 1614762426.860234: nl80211: Send Action frame (ifindex=5, freq=2462 MHz wait=0 ms no_cck=0 offchanok=0)
> 1614762428.861186: DPP: Timeout while waiting for Configuration Result
> 1614762428.861186: wlan0: DPP-CONF-FAILED
While the STA reported the following logs (grepped):
> 1614762426.860193: wlan1: DPP-AUTH-SUCCESS init=0
> 1614762426.860195: DPP: Stop listen on 2412 MHz
> 1614762426.860202: wlan1: GAS-QUERY-START addr=02:00:00:00:00:00 dialog_token=239 freq=2412
> 1614762428.861185: GAS: No response received for query to 02:00:00:00:00:00 dialog token 239
> 1614762428.861189: DPP: GAS query did not succeed
> 1614762428.861189: wlan1: DPP-CONF-FAILED
AP would still receive the GAS request on ch1 but would then try to
respond on ch11 while STA was waiting on ch1.
Signed-off-by: Michal Kazior <michal@plume.com>
IEEE P802.11be/D2.0 added a 4-octet Basic EHT-MCS And Nss Set field into
the EHT Operation element. cfg80211 is now verifying that the EHT
Operation element has large enough payload and that check is failing
with the previous version. This commit does not really set the correct
Basic EHT-MCS And Nss Set values, but the IE length check is now passing
to allow initial mac80211_hwsim testing to succeed.
Signed-off-by: Jouni Malinen <j@w1.fi>
Authentication frames include several fixed body parts (see Table 9-68
(Authentication frame body) and Table 9-69 (Presence of fields and
elements in Authentication frames) in IEEE P802.11-REVme/D2.0).
To be able to parse the IE part, these fields need to be skipped. Since
SAE logic already implements this parsing, change SAE authentication
handling functions to return the offset to the IE part. This preparation
is needed for future MLD patches that need to parse out the ML related
elements in the Authentication frames.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
RSNXE bits were modified, so update the relevant places accordingly.
Please note, WLAN_RSNX_CAPAB_PROT_RANGE_NEG was renamed to
WLAN_RSNX_CAPAB_URNM_MFPR and the bit position is changed to 15 instead
of 10, while BIT 10 is used for WLAN_RSNX_CAPAB_URNM_MFPR_X20 and is not
supported yet.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add the ability to require HE, advertising that via the
BSS membership selector as well as rejecting association
without HE.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When AP is started on a DFS channel and DFS is offloaded to the driver,
AP setup will be separated to two stages. In the first stage, hostapd
will set frequency and initialize BSS, then waits the driver CAC to
complete. Once CAC done, in the second stage,
hostapd_setup_interface_complete() will be called again from a callback
to continue AP/channel setup.
But the driver will fail to restart AP if it is disabled/reenabled
during a driver CAC procedure because some steps such as setting
freq/beacon in the first stage are skipped due to cac_started not
cleared when the AP is disabled.
Avoid this by clearing cac_started when the AP is disabled.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Channel width in HE Capabilities element added to management frames is
calculated in hostapd_eid_he_capab() by intersecting the driver
capabilities and the operating channel width. Kernel uses this value
from the Beacon frames to verify EHT capabilities length. However, EHT
MCS length calculation uses only the driver capabilities which results
in EHT AP bring up failure in some cases dues to different lengths.
Modify the EHT code to use the HE operating channel width as well to
determine matching length for the information.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Facilitate emitting more station information over D-Bus for use by the
connection manager.
* Add storage for more NL80211_STA_INFO_* fields to data structures, and
move them through the system.
* Reorder NL80211_STA_INFO_* fields in driver_nl80211.c to match the
ordering in nl80211.h.
* Convert signal field to an integer to support holding WPA_INVALID_NOISE
and avoid changing logging.
* Add fields to hostap_sta_driver_data to capture more information
* fcs_error_count
* beacon_loss_count
* expected_throughput
* rx_drop_misc
* rx_mpdus
* rx_hemcs
* tx_hemcs
* rx_he_nss
* tx_he_nss
* avg_signal
* avg_beacon_signal
* avg_ack_signal
* Add struct hostap_sta_driver_data to struct wpa_signal_info and remove
redundant fields and redundant attribute parsing
* Change logging when printing txrate to handle unsigned long
value
Signed-off-by: David Ruth <druth@chromium.org>
Indicate whether the collocated BSS in the RNR is a part of a multiple
BSSID set and whether it is a transmited BSSID.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
As described in IEEE Std 802.11-2020, 11.1.3.8 Multiple BSSID procedure,
set the lowest AID value assigned to any client equal to 2^n, where n is
the maximum BSSID indicator of the MBSSID set.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Process the Known BSSID elements if included by non-AP stations. The
format is described in IEEE Std 802.11ax-2021, 9.4.2.261.
Non-AP stations may include this element in directed Probe Request
frames to indicate which of the multiple BSSIDs they have already
discovered. AP should exclude these profiles from the Probe Response
frame.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Add Multiple BSSID Configuration element data per IEEE Std
802.11ax-2021, 9.4.2.260 when enhanced multiple BSSID advertisement
(EMA) is enabled. This element informs the stations about the EMA
profile periodicity of the multiple BSSID set.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Set extended capabilities as described in IEEE Std 802.11ax-2021,
9.4.2.26. Reset the capability bits to 0 explicitly if MBSSID and/or EMA
is not enabled because otherwise some client devices fail to associate.
Bit 80 (complete list of non-tx profiles) is set for all Probe Response
frames, but for Beacon frames it is set only if EMA is disabled or if
EMA profile periodicity is 1.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Add helper functions to retrieve the context for the transmitting
interfaces of the MBSSID set and the index of a given BSS.
Set device parameters: BSS index and the transmitting BSS.
Include Multiple BSSID elements in Beacon and Probe Response frames.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Add data per IEEE Std 802.11-2020, 9.4.2.240. Current implementation is
added for the security and extended supported rates only.
For the Extended rates element, add a new member 'xrates_supported'
which is set to 1 only if hostapd_eid_ext_supp_rates() returns success.
Without this change, there are cases where this function returns before
adding the element for the transmitting interface resulting in incorrect
addition of this element inside the MBSSID Non-Inheritance element.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Co-developed-by: Sowmiya Sree Elavalagan <quic_ssreeela@quicinc.com>
Signed-off-by: Sowmiya Sree Elavalagan <quic_ssreeela@quicinc.com>
Add Multiple BSSID element data per IEEE Std 802.11ax-2021, 9.4.2.45.
Split the BSSes into multiple elements if the data does not fit in
the 255 bytes allowed for a single element.
Store the total count of elements created and the offset to the start
of each element in the provided buffer.
Set the DTIM periods of non-transmitted profiles equal to the EMA
profile periodicity if those are not a multiple of the latter already as
recommended in IEEE Std 802.11ax-2021, Annex AA (Multiple BSSID
configuration examples).
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
When multiple BSSID advertisement feature is enabled in IEEE 802.11ax
mode or later, Beacon frames are not transmitted per interface, instead
only one of the interfaces transmits Beacon frames that include one or
more Multiple BSSID elements with configuration for the remaining
interfaces on the same radio.
Change the existing logic such that all configuration details for all
the interfaces are available while building the Beacon frame template
for the transmitting interface itself.
Do not change the flow for the cases where multiple BSSID advertisement
is not enabled.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Retrieve driver capabilities for the maximum number of interfaces for
MBSSID and the maximum allowed profile periodicity for enhanced MBSSID
advertisement.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Add configuration option 'mbssid' used to enable multiple BSSID (MBSSID)
and enhanced multiple BSSID advertisements (EMA) features.
Reject the configuration if any of the BSSes have hidden SSID enabled.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Co-developed-by: John Crispin <john@phrozen.org>
Signed-off-by: John Crispin <john@phrozen.org>
Add a testing option to delay EAPOL-Key messages 1/4 and 3/4. By setting
delay_eapol_tx=1, the actual EAPOL Tx will occur on the last possible
attempt (wpa_pairwise_update_count) thus all previous attempts will fail
on timeout which is the wanted delay.
In addition, add an hwsim test that uses this testing option to verify
that non protected Robust Action frames are dropped prior to keys
installation in MFP.
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Include the start of the next EAP method in an EAP Payload TLV in the
same message with the Crypto-Binding TLV for the previous EAP method to
get rid of one roundtrip when using more than a single EAP
authentication method within the tunnel. The previous, not optimized,
sequence can still be used with eap_teap_method_sequence=1 for more
complete testing coverage.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Even if the use of H2E isn't strictly mandatory when using SAE on 6 GHz,
WPA3-Personal pushes it on 6 GHz. So lets automatically enable it by
setting sae_pwe=2. This will allow both the hunting-and-pecking and
hash-to-element to work (and be backward compatible).
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Just like with WPA-PSK and keyids it may be desired to identify
connecting clients to provide additional network filtering.
This does:
- extend DPP_EVENT_AUTH_SUCCESS to expose public
key hash of the peer so the system can pick it
up and use for identification later
- store public key hash in PMKSA from DPP Network
Intro for later use
- extend sta mib to print out the dpp_pkhash
from PMKSA if present
- extend AP_STA_CONNECTED to include the
dpp_pkhash from PMKSA if present
Signed-off-by: Michal Kazior <michal@plume.com>
This event is generated in a couple of places. It'll be easier to extend
the event with additional metadata if it's generated in a single place.
Signed-off-by: Michal Kazior <michal@plume.com>
When considering a channel for a bandwidth of 40/80/160 MHZ on the 5 GHz
or 6 GHz band, allow selecting one of the other channels in the segment
instead of the first one. This is done only if the other channel's
interference_factor is lower than the first one's.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
When using 40/80/160 MHz bandwidth on the 5 GHz or 6 GHz band, enforce
the secondary channel to be the other channel of the corresponding 40
MHz segment.
Even if this is useless for now, this is preparatory work to allow ACS
to select a primary channel which is not the first of its segment.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
When using 40/80/160 MHz bandwidth, instead of computing the index of
the segment center freq based on the selected channel, lets look it up
in the bw_desc[] table.
This is preparative work to allow selecting a primary channel which is
not the first of the segment.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
This extracts the 3 lists of allowed channels for 40/80/160 MHz
bandwidth out of their respective functions. It also adds for each
segment the frequency of the segment's last channel and the index of the
segment's "center" channel.
This is preparative work to allow selecting a channel which is not the
first of its segment for 40/80/160 MHz. In addition, this adds the 5 GHz
160 MHz channel defined for 5735-5895 MHz (channels 149-177).
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
When using multiple BSSes on a single radio, it is sometimes desirable
to reconfigure one BSS, without disconnecting the stations already
connected to other BSSes on the same radio.
When a BSS is reconfigured using the SET command, there is no "old"
configuration we can compare to (so we cannot compare a hash of the
configuration for example).
One possible solution would be to make the current RELOAD command
reload only the current BSS. However, that could break the workflow of
existing users. Instead, introduce a new RELOAD_BSS command, which
reloads only the current BSS.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
In hostapd_clear_old() multiple steps are needed to clear a BSS.
There are some places where it would be desirable to clear only some
BSSes and not all.
To make it easier to clear only some BSSes, split hostapd_clear_old()
with hostapd_clear_old_bss(), which does the same actions but on a
single BSS.
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
CONFIG_NO_RC4=y could have been used to remove this functionality, but
it might as well be done automatically based on CONFIG_FIPS=y as well.
Signed-off-by: Jouni Malinen <j@w1.fi>
IEEE Std 802.11-2020, 12.4.7.6 says that status code CHALLENGE_FAILURE,
needs to be sent in case the verification action fails for SAE Confirm
message frame from a STA: "An SAE Confirm message, with a status code
not equal to SUCCESS, shall indicate that a peer rejects a previously
sent SAE Confirm message. An SAE Confirm message that was not
successfully verified is indicated with a status code of
CHALLENGE_FAILURE."
hostapd, however, did not use this status code for this case. In
ieee802_11.c the function sae_check_confirm() is called and in case of
verification failure (-1 is returned), the response is set to
WLAN_STATUS_UNSPECIFIED_FAILURE (status code = 1). Fix this to use
CHALLENGE_FAILURE.
Signed-off-by: Koen Van Oost <koen.vanoost@airties.com>
Signed-off-by: Mert Ekren <mert.ekren@airties.com>
Explicitly check for invalid cases where the configured channel and
bandwidth might result in the full channel number range going beyond the
list of supported channels to avoid reading beyond the end of the
channel buffer.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
If an AP is started on a DFS channel (or any channels within its
bandwidth require DFS) and DFS is offloaded to the driver, hostapd needs
to wait for CAC to complete. But the driver may not do CAC and just
switches to a non-DFS channel instead. This would result in a failure to
start the AP because hostapd fails to receive a CAC complete event and
cannot finish interface setup.
Skip CAC and complete AP setup in the channel switch event handler for
this case.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When the RADIUS server requests a STA to be deauthenticated imminently
without providing a reason URL, there is no need to allow the STA spend
any additional time associated. Deauthenticate the STA immediately after
it has ACK'ed the WNM-Notification frame indicating imminent
deauthentication or at latest two seconds after having processes the
Access-Accept message.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit 25b52e5f83 ("FT: Extend FTE parsing for FT-SAE-EXT-KEY") used
possible MIC length iteration to try to figure out the length of the MIC
field in FTE. That was the only option available at the time, but FTE is
now being extended in IEEE 802.11-REVme to explicitly indicate the
length of the MIC field for the new FT-SAE-EXT-KEY AKM to make this
easier.
Use the new design from the approved comment resolution (*) in
REVme/D2.0 ballot CID 3135 to simplify implementation. This gets rid of
the need to pass in key length and the somewhat strange need_{r0kh,r1kh}
parameters to wpa_ft_parse_ies().
(*)
https://mentor.ieee.org/802.11/dcn/22/11-22-1991-02-000m-proposed-resolutions-to-some-lb270-comments.docx
Signed-off-by: Jouni Malinen <j@w1.fi>
Using separate variables for BSSID and peer address is needed to support
Wi-Fi Aware (NAN) use cases where the group address is used as the BSSID
and that could be different from any other peer address. The
infrastructure BSS cases will continue to use the AP's BSSID as both the
peer address and BSSID for the PASN exchanges.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support to specify a Link ID for set key operation for MLO
connection. This does not change the existing uses and only provides the
mechanism for extension in following commits.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Make sure the elements were present before trying to parse them. This
was already done for most cases, but be consistent and check each item
explicitly before use.
Signed-off-by: Jouni Malinen <j@w1.fi>
struct wpas_pasn is common to both initiator and responder, so rename it
to pasn_data to avoid the "wpas_" prefix that could be seen as a
reference to wpa_supplicant (PASN initiator).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PASN responder validates auth 1 frame and sends auth 2 frame to the
initiator. It analyses the auth 3 frame and verifies successful
authentication. Wi-Fi Aware modules can reuse this functionality through
a shared library libpasn.so generated from this code. Move the PASN
functionality that is now decoupled from the hapd context into a
separate file in a common directory to make it easier to build such a
library.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is helpful in being able to get the functionality needed for SAE
into a separate library (libpasn.so) without needing all of the
ieee802_11.c functionality.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Aware R4 specification defines Beacon RSNE/RSNXE to be same as
RSNE/RSNXE present in Auth2 frame. So, MIC validation should be done
with the RSNE and RSNXE received in Auth2 frame.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Wi-Fi Aware R4 specification introduces a custom PMKID derived from
Nonce and TAG. This custom PMKID is included in PASN Authentication
frames during pairing verification. So, allow use of a custom PMKID in
PASN frames and validate it using a function handler. Wi-Fi Aware
component that uses libpasn.so should take care of validating the custom
PMKID.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Introduce a function handler to transmit PASN Authentication frames to
the driver. This removes the hapd dependency for sending the frames.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PTK is stored in the PTKSA cache following a successful PASN handshake,
however AKMP is removed upon a WPA PASN reset. The PASN handshake is
used in the Wi-Fi Aware R4 specification to define the pairing setup
process. KDK is used to generate a new set of keys, while AKMP is
required for key derivation for pairing. So, keep AKMP in the PTKSA
cache.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This makes hostapd use the struct defines from pasn_common.h so that the
same struct is shared with wpa_supplicant.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Make struct wpas_pasn common for both the initiator and the responder by
adding required parameters for responder to the existing struct
wpas_pasn. This makes both hostapd and wpa_supplicant share the same
structure definitions in preparation for allowing PASN functionality to
be built into a separate library.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
AES-WRAP(KEK) protection of the Key Data field did not include all the
details in the log. Extend that to cover the details that were already
present for the AES-SIV case to make the debug log more useful for
analyzing issues in this area. Furthermore, print the full EAPOL-Key
frame in the log.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Figure out the correct hash algorithm based on which MIC field length
assumption results in successful parsing. This is needed since the key
length is not yet known at this point on the AP when using the new
FT-SAE-EXT-KEY AKM.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Provide AKM, key length, and information about needed subelements to the
parser function so that the variable length MIC field cases can be
recognized for FT-SAE-EXT-KEY. Knowledge about R0KH-ID/R1KH-ID being
needed is required to be able to iterate over possible MIC field lengths
for the case where the AP does not yet know the correct key length at
the beginning of FT protocol.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Provide AKM to the helper function so that the new SHA256 and SHA512
options can be covered for FT-SAE-EXT-KEY.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Provide key length instead of SHA384/SHA256 selection to the helper
function so that the new SHA512 option can be covered for
FT-SAE-EXT-KEY.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Provide enough information to allow the FTE to be built using the
correct MIC field length based on the used AKM and key length.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Move from this type of constructions:
switch (val) {
case 1:
something;
break;
}
default-action;
into following:
switch (val) {
case 1:
something;
break;
default:
default-action;
break
}
for cases where the switch statement is not expected to contain a full
set of enum values and as such, does not lose value from not having the
default target.
This makes the intent of default behavior clearer for static analyzers like
gcc with -Wswitch-default.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
Do not include 6 GHz channels in the ACS possible channel list if
neither HE (ieee80211ax=1) nor EHT (ieee80211be=1) is enabled since
those channels cannot be used in such combination.
Signed-off-by: Vishal Miskin <quic_vmiskin@quicinc.com>
hostapd based automatic channel selection doesn't update the hardware
mode after the channel is selected. This change specifically helps
channel 14 which can operate only in IEEE 802.11b mode.
Signed-off-by: Sunil Ravi <sunilravi@google.com>
bss->conf->bssid may be kept unset and will cause an empty BSSID field
in RNR. Fix this to use own_addr instead.
Signed-off-by: Shay Bar <shay.bar@celeno.com>
Signed-off-by: moran.daori <moran.daori@celeno.com>
The ACS info messages frequently appear for multiple channels. Without
the actual frequency in the messages, they are not very informative.
Add the frequency to them to improve this.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Don't select channels designated for exclusive indoor use when the
country string is set for outdoor operation (country3=0x4f, i.e., the
third character of the country string is 'O').
Signed-off-by: David Bauer <mail@david-bauer.net>
Support updating the RRM IEs to the driver for Probe Response and
(Re)Association response frames in the AP mode when the SME is
implemented in the driver.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
Set TWT responder configurator in the driver parameters only when the AP
is configured with HE enabled. This was already done for the extended
capability bit generation in commit 8de0ff0fa1 ("HE: Add TWT responder
extended capabilities field"), but this parameter for the driver command
to start the AP in _ieee802_11_set_beacon() missed the condition.
Move the ieee80211ax check into the common helper function to cover both
cases. In addition, add a check for disable_11ax to cover the case where
HE is disabled for a specific BSS.
Fixes: ab8c55358e ("HE: Dynamically turn on TWT responder support")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
After the secure association and PTK derivation are completed, if the
device supports LTF keyseed, generate the LTF keyseed using KDK and set
the ranging context to the driver by using the command
QCA_NL80211_VENDOR_SUBCMD_SECURE_RANGING_CONTEXT.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
AP as a responder, on successful completion of PASN authentication
configures the required keys by using the command
QCA_NL80211_VENDOR_SUBCMD_SECURE_RANGING_CONTEXT to the driver.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add an option for an alternative processing of PTKSA life time expiry.
Register a callback in wpa_supplicant to handle the life time expiry of
the keys in PTKSA cache. Send PASN deauthentication when a PTKSA cache
entry expires.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
On successful PASN handshake or 4-way handshake with a peer, PTK is
derived using the local and peer MAC addresses as input. Store the own
MAC address that is used for key derivation in PTKSA cache to maintain
that state over potential MAC addresses changes.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Use separate capabilities for AP and STA modes for P802.11az security
parameters secure LTF support, secure RTT measurement exchange support,
and protection of range negotiation and measurement management frames
support.
P802.11az security parameters are considered to be supported for both
station and AP modes if the driver sets NL80211_EXT_FEATURE_SECURE_LTF,
NL80211_EXT_FEATURE_SECURE_RTT, and
NL80211_EXT_FEATURE_PROT_RANGE_NEGO_AND_MEASURE flags. The driver can
advertize capabilities specific to each mode using
QCA_WLAN_VENDOR_FEATURE_SECURE_LTF*,
QCA_WLAN_VENDOR_FEATURE_SECURE_RTT*, and
QCA_WLAN_VENDOR_FEATURE_PROT_RANGE_NEGO_AND_MEASURE* flags.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Reorder PKEX initiation function to send out the PKEX Exchange Request
frame at the end after all possible error cases have been checked. This
prevents Enrollee from seeing a PKEX frame when the session is about to
fail.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
hostapd_dpp_add_controller() ended up trying to parse the IP address
without nul terminating it. This might work with some C libraries, but
not all. And anyway, this was already supposed to nul terminate the
string since a temporary copy is created of the constant string. Fix
this by adding the missed replacement of the space with nul.
Fixes: bfe3cfc382 ("DPP: Allow Relay connections to Controllers to be added and removed")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This can be helpful for upper layers to be able to determine whether the
configuration was rejected.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The new SAE AKM suites are defined to use H2E, so ignore the sae_pwe
value when these AKM suites are used similarly to the way H2E gets
enabled when SAE Password Identifiers are used.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Define new WPA_KEY_MGMT_* values for the new SAE AKM suite selectors
with variable length keys. This includes updates to various mapping and
checking of the SAE key_mgmt values.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The new DPP-RELAY-NEEDS-CONTROLLER control interface event can be used
to trigger mDNS discovery of a Controller to see if such a connection
can be established automatically at the time an Enrollee is trying to
initiate an operation.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The new control interface commands "DPP_RELAY_ADD_CONTROLLER <IP addr>
<PK hash>" and "DPP_RELAY_REMOVE_CONTROLLER <IP addr>" can now be used
to dynamically add and remove connections to Controllers for the cases
where the connection is initialized through a DPP Public Action frame
(i.e., Controller as the Responder).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Instead of requiring explicit configuration through
dpp_configurator_connectivity=1, advertise Configurator connectivity
automatically if a Relay is configured with a Controller that can
operate as a Responder.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Accept an incoming TCP connection from a Controller in a Relay that is
configured with dpp_relay_port even if that Controller is not configured
with a dpp_controller parameter. This allows more dynamic Controller
initiated operations, e.g., when using mDNS to discover a Relay.
This type of a dynamic Controller entry will not be used for exchanges
that are initiated by an Enrollee (i.e., based on a DPP Public Action
frame received by the Relay).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Verify that the peer does not change its bootstrapping key between the
PKEX exchange and the authentication exchange.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When PKEX was started through the push button mechanism, the own
bootstrapping key was not bound correctly to the Authentication phase
information and that ended up in incorrectly generating a new
bootstrapping key for the Authentication exchange. Fix this by added the
needed own=<id> parameter into the cached parameters when using push
button.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The peer=<id> information about the specific boostrapping key provided
through PKEX was added for Public Action frame cases, but the TCP
variant did not do same. Add the same information there to maintain
knowledge of the specific peer bootstrapping key from PKEX to
Authentication exchange.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Extend DPP push button support in wpa_supplicant to allow the role of
the Configurator to be used. This provides similar functionality to the
way the DPP_PUSH_BUTTON command in hostapd worked when providing the
configuration parameters with that command (instead of building the
config object based on current AP configuration).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
It is possible for a Controller to receive a copy of its own PKEX
Exchange Request in the case where the Controller is initiating a PKEX
exchange through a Relay. The Configurator role in the device would have
a matching PKEX code in that case and the device might reply as a PKEX
responder which would result in going through the exchange with the
Controller device itself. That is clearly not desired, so recognize this
special case by checking whether the Encrypted Key attribute value
matches a pending locally generated one when processing a received PKEX
Exchange Request.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
We are not supposed to reuse these without being explicitly requested to
perform PKEX again. There is not a strong use case for being able to
provision an Enrollee multiple times with PKEX, so this should have no
issues on the Enrollee. For a Configurator, there might be some use
cases that would benefit from being able to use the same code with
multiple Enrollee devices, e.g., for guess access with a laptop and a
smart phone. That case will now require a new DPP_PKEX_ADD command on
the Configurator after each completion of the provisioning exchange.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a privacy protecting variant of the peer introduction protocol to
allow the station device to hide its Connector from 3rd parties. The new
wpa_supplicant network profile parameter dpp_connector_privacy=1 can be
used to select this alternative mechanism to the peer introduction
protocol added in the initial release of DPP.
It should be noted that the new variant does not work with older DPP APs
(i.e., requires support for release 3). As such, this new variant is
disabled by default.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This allows the DPP Configuration Request Object from an Enrollee to be
extended with 3rd party information. The new dpp_extra_conf_req_name and
dpp_extra_conf_req_value configuration parameters specify the name of
the added JSON node and its contents. For example:
dpp_extra_conf_req_name=org.example
dpp_extra_conf_req_value={"a":1,"b":"test"}
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This extends Relay functionality to allow a Controller to intitiate a
new DPP exchange in addition to the previously supported case where the
exchange was initiated through a DPP Public Action frame.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
While the most likely production use case for DPP push button is to
provision the AP's current configuration, there might be some use cases
for providing different configuration. Add possibility for doing this by
extending the DPP_PUSH_BUTTON command to accept an optional set of
parameters similarly to the other DPP commands for the Configurator.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support to use a push button -based bootstrap mechanism with DPP.
The new DPP_PUSH_BUTTON control interface command enables this mode on
the AP/hostapd and station/wpa_supplicant. This goes through the
following sequence of events: a suitable peer in active push button mode
is discovered with session overlap detection, PKEX is executed with
bootstrap key hash validation, DPP authentication and configuration
exchanges are performed.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Move most of CHANWIDTH_* definitions from ieee80211_defs.h to defs.h as
the definitions are getting used mostly for internal purpose only. Also
change prefix of the definitions to CONF_OPER_CHWIDTH_* and update in
all the files accordingly.
Leave the couple of VHT-specific exceptions to use the old defines (the
reason why they were originally added as VHT values), to avoid use of
clearly marked configuration values in information elements. In
addition, use the defines instead of magic values where appropriate.
Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
Skip the x_snoop_deinit() operations if hostapd did not actually
configure the parameters in the first place. While clearing these
specific parameters is unlikely to change how they were set outside the
scope of hostapd, it is better to leave them as-is to avoid surprises if
hostapd was not configured to use ProxyARP.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
tcp_addr=from-uri can now be used as a special case for initiating
DPP-over-TCP to the destination indicated in the peer bootstrapping URI.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Only use the bandwidth bits that are applicable for the current
operating band. This avoids use of reserved bits when determining the
length of the Support EHT-MCS And NSS Set field length.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
IEEE Std 802.11-2020 is ambiguous on how the Secure bit is set in
EAPOL-Key msg 1/4 and 2/4 in the case where 4-way handshake is use to
rekey the PTK. 12.7.2 describes this with "set to 1 once the initial key
exchange is complete" while 12.7.6 shows EAPOL-Key msg 1/4 and 2/4 using
Secure=0 without any consideration on whether the handshake is for
rekeying.
TGme seems to be moving towards clarifying this to use Secure=1 based on
there being a shared PTKSA between the Authenticator and the Supplicant.
In other words, this would use Secure=1 in EAPOL-Key msg 1/4 and 2/4 in
the case of rekeying. Change implementation to match that. This bit was
already practically ignored on the reception side, so this should not
have impact on actual functionality beyond this one bit changing its
value in the frame.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Avoid the somewhat confusing mechanism of determining the bitfield index
from the assigned IP address to make this easier for static analyzers.
Signed-off-by: Jouni Malinen <j@w1.fi>
Limit the GAS comeback delay to 60000 TUs, i.e., about 60 seconds. This
is mostly to silence static analyzers that complain about unbounded
value from external sources even though this is clearly bounded by being
a 16-bit value.
Signed-off-by: Jouni Malinen <j@w1.fi>
BIT(r) is not sufficient here since it does not cover 64 bit values.
Write this out with 1ULL to be large enough for the shift operation.
Signed-off-by: Jouni Malinen <j@w1.fi>
It looks like fst_wpa_obj::get_hw_modes would have been left
uninitialized in hostapd. It is not obviously clear why this would not
have caused issues earlier, but in any case, better make this set
properly to allow unexpected behavior should that function pointer ever
be used.
Signed-off-by: Jouni Malinen <j@w1.fi>
Without this, hostapd generates Probe Response frames with the null
destination address when hostapd enables unsolicited Probe Response
frame transmission. Fix this to use the broadcast address instead.
Fixes: 024b4b2a29 ("AP: Unsolicited broadcast Probe Response configuration")
Signed-off-by: MeiChia Chiu <meichia.chiu@mediatek.com>
RSN design is supposed to encrypt all Data frames, including EAPOL
frames, once the TK has been configured. However, there are deployed
implementations that do not really follow this design and there are
various examples from the older uses of EAPOL frame where those frames
were not encrypted. As such, strict filtering of unencrypted EAPOL
frames might results in undesired interoperation issues.
However, some of the most important cases of missing EAPOL frame
encryption should be possible to handle without causing too significant
issues. These are for cases where an attacker could potentially cause an
existing association to be dropped when PMF is used. EAPOL-Start and
EAPOL-Logoff are potential candidate for such attacks since those frames
could be used to terminate an authentication or initiate a new EAP
authentication. Such an attack could result in the station ending up
disconnecting or at minimum, getting into somewhat mismatching state
with the AP.
Drop EAPOL-Start/Logoff/EAP frames on the AP/Authenticator when it is
known that it was not encrypted but should have been and when PMF is
enabled. While it would be correct to drop this even without PMF, that
does not provide any significant benefit since it is trivial to force
disconnection in no-PMF cases. It should also be noted that not all
drivers provide information about the encryption status of the EAPOL
frames and this change has no impact with drivers that do not indicate
whether the frame was encrypted.
Signed-off-by: Jouni Malinen <j@w1.fi>
This information was already available from the nl80211 control port RX
path, but it was not provided to upper layers within wpa_supplicant and
hostapd. It can be helpful, so parse the information from the driver
event.
Signed-off-by: Jouni Malinen <j@w1.fi>
sm->pairwise_set needs to be set whenever the TK has been configured to
the driver to request following EAPOL frames to be encrypted (or more
specifically, not to request them to not be encrypted). The FILS case
missed this setting and that could result in rekeying or
reauthentication in an associated started with FILS not working
correctly.
Fixes: da24c5aa1c ("FILS: Set TK after association (AP)")
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_validate_wpa_ie() might update sm->* values, so it should not be
allowed for an existing STA entry if that STA has negotiated MFP to be
used for the association. Fix this by first checking whether an SA Query
procedure needs to be initiated. In particular, this prevents a
potential bypass of the disconnection protection.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The driver can consider EHT specific parameters such as the puncture
pattern for ACS when this flag attribute is indicated by userspace.
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Do not consider optional octets maximum lengths when validating EHT
fixed fields length. Furthermore, do not use the first two octets of the
PPE Thresholds field without explicitly confirming that these octets
were included in the element and fix PPE Thresholds field length
calculation.
Fixes: a6d1b4c46c ("EHT: Process (Re)Association Request frame capabilities")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
enum macaddr_acl is forward declared in wpa_supplicant/ap.h.
c++ compiler doesn't allow forward declaration. So to fix the
compilation error, moved the enum macaddr_acl declaration out
of struct hostapd_bss_config.
Signed-off-by: Sunil Ravi <sunilravi@google.com>
Add a notification message to indicate reason for TLS handshake failure
due to the server not supporting safe renegotiation (RFC 5746).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
pbkdf2_sha1() may return errors and this should be checked in calls.
This is especially an issue with FIPS builds because the FIPS
requirement is that the password must be at least 14 characters.
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
Add support for IMSI privacy in the EAP-SIM/AKA server implementation.
If the new hostapd configuration parameter imsi_privacy_key is used to
specify an RSA private key, that key will be used to decrypt encrypted
permanent identity.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Modify hostapd_set_freq_params() to include EHT parameters and update
the calling functions to match.
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Set bit 21 in the neighbor report for an EHT AP as described in IEEE
P802.11be/D1.5, 9.4.2.36. Also move the check for HE outside the check
for HT as neither HT nor VHT are enabled in the 6 GHz band.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Add support for EHT capabilities in the addition of a new station entry
to the driver.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Parse EHT capabilities sent by a non-AP STA in (Re)Association Request
frames. Validate the length of the element, matching MCS rates between
AP TX and STA RX. Store the capabilities in the station info structure.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Add EHT Operation element in Beacon, Probe Response, and (Re)Association
Response frames using the format described in IEEE P802.11be/D1.5,
9.4.2.311.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Add new configuration options to configure EHT operating channel
width and center frequency.
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Add compilation support for IEEE 802.11be along with options to enable
EHT support per radio and disable per interface.
Enabling HE is mandatory to enable EHT mode.
Tested-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Signed-off-by: Aloka Dixit <quic_alokad@quicinc.com>
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Allow hostapd configuration to specify use of the 6 GHz band with the
specific op_class values without having to set the hw_mode=a parameter
explicitly.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This feature does not work on all radios that advertise this feature
with the current driver implementation, and possibly some users don't
want to use it even if it works fine, so disable it by default for now,
but let users enable it as desired with enable_background_radar=1.
Signed-off-by: Ben Greear <greearb@candelatech.com>
The acs_exclude_dfs parameter is documented as a way to exclude DFS
channels when performing ACS without disabling DFS altogether. The
problem is this parameter is only enforced when ACS is offloaded to the
driver (WPA_DRIVER_FLAGS_ACS_OFFLOAD). So from now on, lets also check
acs_exclude_dfs in the internal ACS implementation to exclude channels
marked with radar detection.
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
This commit activates the functionality of the previous commits by
handling the actual events that will trigger the CCA process.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
While we are doing CCA the BSS Color Disabled field inside the HE
Operation Parameters field needs to be set.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
This information element is similar to the CSA one. It contains a
counter and the target color. Once the counter expired, the change to
the new color happens.
Just note the current implementation is based on CCA counter attributes
that only take Beacon and Probe Response framesinto account.
(Re)Association Response frames do not currently have kernel APIs to
decrement the CCA counter since mediatek mcu firmware does not support
it yet and it will be added in future firmware release.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Add the core code for handling BSS color collision events and triggering
CCA inside the kernel. The caller of hostapd_switch_color() will be
added in the following commits.
Tested-by: Peter Chiu <chui-hao.chiu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Use vendor specific RADIUS attributes for sending ANonce and EAPOL-Key
msg 2/4 for the wpa_psk_radius=3 case. The vendor specific attributes
for this are defined in FreeRADIUS as follows:
BEGIN-VENDOR FreeRADIUS format=Extended-Vendor-Specific-5
ATTRIBUTE FreeRADIUS-802.1X-Anonce 1 octets[32]
ATTRIBUTE FreeRADIUS-802.1X-EAPoL-Key-Msg 2 octets
END-VENDOR FreeRADIUS
Signed-off-by: Jouni Malinen <j@w1.fi>
Add Transmit Power Envelope element for 6 GHz per IEEE Std
802.11ax-2021.
Currently, this uses hard coded EIRP/PSD limits which are applicable to
6 GHz operation in United states, Japan, and Korea. Support to extract
power limits from kernel data will be added after complete regulatory
support is added for the 6 GHz band.
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Add new field definitions for the 6 GHz Operation Information field in
the HE Operation element per IEEE Std 802.11ax-2021, 9.4.2.249. These
will be used for TPC operation in the 6 GHz band.
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
IEEE Std 802.11ax-2021 introduces Regulatory Info subfield to specify
the 6 GHz access point type per regulatory. Add a user config option for
specifying this.
When not specified, Indoor AP type is selected for the 6 GHz AP by
default.
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
Add support for the Country element for the 6 GHz band per IEEE Std
802.11ax-2021, 9.4.2.8 (Country element).
Signed-off-by: Pradeep Kumar Chitrapu <quic_pradeepc@quicinc.com>
force_kdk_derivation is defined within CONFIG_TESTING_OPTIONS, so need
to use matching condition when accessing it.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
It could have been possible to get into an endless loop of retried EAP
authentication followed by failing or not completed 4-way handshake if
there was a different interpretation of EAP authentication result
(success on AP, failure on STA). Avoid this by limiting the number of
consecutive EAPOL reauth attempts without completing the following 4-way
handshake.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Unsolicited broadcast Probe Response frame configuration did not work in
hostapd due fils_discovery_min_int being used by mistake where
fils_discovery_max_int should have been used in checking for conflicting
configuration. The latter is the one used to decide whether FILS
discovery is enabled or not.
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
This is a workaround for mac80211 behavior of retransmitting the
Association Request frames multiple times if the link layer retries
(i.e., seq# remains same) fail. The mac80211 initiated retransmission
will use a different seq# and as such, will go through duplicate
detection. If we were to change our DH key for that attempt, there would
be two different DH shared secrets and the STA would likely select the
wrong one.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add an alternative sequence for performing the RADIUS ACL check and PSK
fetch. The previously used (macaddr_acl=2, wpa_psk_radius=2) combination
does this during IEEE 802.11 Authentication frame exchange while the new
option (wpa_psk_radius=3) does this during the 4-way handshake. This
allows some more information to be provided to the RADIUS authentication
server.
Signed-off-by: Jouni Malinen <j@w1.fi>
The check for PSK/passphrase not being present was considering only the
WPA-PSK AKM, but the same check should be applied for all other AKMs
that can use a PSK.
Signed-off-by: Jouni Malinen <j@w1.fi>
While these do not return error code within the current hostapd
implementation, matching functions in wpa_supplicant AP functionality
will have an error case and using consistent return type will make the
control interface code more consistent.
In addition, export hostapd_set_acl() in preparation for the
wpa_supplicant control interface implementation extension.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
This allows upper layers to learn about associated stations requesting
BSS transition management from the AP.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
Only the SME-in-hostapd case updated sta->ext_capability while the
SME-in-the-driver case updated sta->qos_map_enabled, but not other items
related to the extended capabilities. This resulted in reduced
information being available through the control interface.
Use the shared helper function for both cases to get matching
information available regardless of the SME architecture.
Signed-off-by: Chaoli Zhou <quic_zchaoli@quicinc.com>
On radar detection on the main chain switch to the channel monitored
by the background chain if we have already performed the CAC there.
If a radar pattern is reported on the background chain, just select a
new random channel according to the regulations for monitoring.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Rely on hostapd_dfs_request_channel_switch() to enable CSA for
background radar detection switching back to the selected channel.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
This is a preliminary patch to add Channel Switch Announcement for
background radar detection.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Introduce the capability to perform radar/CAC detection on an offchannel
radar chain available on some hardware (e.g., mt7915). This feature
allows to avoid CAC downtime switching on a different channel during CAC
detection on the selected radar channel.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Add the capability to specify all 3 channel type possibilities in
dfs_downgrade_bandwidth(). This is a preliminary change to introduce
radar/CAC background detection support.
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
There can be some discrepancy between the theorical dfs cac end (as
computed with the cac duration and cac start) and the actual cac end as
reported by the driver. During that window, the value of remaining time
outputed by the status command on the socket control interface will
display an overflowed, invalid value.
To mitigate this lets compute the remaining time as signed and display
it only when positive, otherwise defaulting it to 0.
Status command shows something like that when polling every seconds:
state=DFS
cac_time_seconds=60
cac_time_left_seconds=1
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=0
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967294
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967293
...
state=DFS
cac_time_seconds=60
cac_time_left_seconds=4294967292
...
state=ENABLED
cac_time_seconds=60
cac_time_left_seconds=N/A
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
Allow the Configurator to be configured to use a specific curve for the
netAccessKey so that it can request the Enrollee to generate a new key
during the configuration exchange to allow a compatible Connector to be
generated when the network uses a different curve than the protocol keys
used during the authentication exchange.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow PKEX v1-only or v2-only behavior to be specific for the Responder
role. This is mainly for testing purposes.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow the first Tunnel-Password RADIUS entry to be used for SAE in
addition to the sae_password entries and wpa_passphrase parameters from
the static configuration file.
Signed-off-by: Mario Hros <git@reversity.org>
Introduce type parameter to dfs_get_valid_channel() routine to allow
selection of a radar-only channel where the CAC detection has not been
performed yet. This is a preliminary patch to enable background
radar/CAC detection.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
This is a preliminary change to introduce radar/CAC background detection
support.
Tested-by: Owen Peng <owen.peng@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Do not use the first octet of the PPE Thresholds field without
explicitly confirming that that octet was included in the element.
Furthermore, allow the received element to have additional octets in the
end since IEEE Std 802.11ax-2021 defines this to be an extensible
element and new fields could be added to the end of it in the future.
Fixes: 0497e41481 ("HE: Fix HE Capabilities element size")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The previously used calculation was not correct for the cases where the
extra padding field was needed. Fix this by properly calculating the
number of full octets in the field.
Fixes: 0497e41481 ("HE: Fix HE Capabilities element size")
Signed-off-by: Shiva Sankar Gajula <quic_sgajula@quicinc.com>
Couple of the WPS/P2P/RADIUS-PSK cases were freeing heap memory
allocations without explicitly clearing the PSK value. Add such clearing
for these to avoid leaving the PSK in memory after it is not needed
anymore.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Unlike the other keys that were cleared here, the PMK is available
without FT support built into hostapd and as such, should be cleared in
all cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This makes it easier to scan process memory for key information that is
not supposed to remain there after the last use.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow macsec_csindex to be configured and select the cipher suite when
the participant acts as a key server.
Signed-off-by: leiwei <quic_leiwei@quicinc.com>
Check driver support for SA Query offload in AP mode and skip starting
SA Query timer on CSA for OCV enabled STAs when the driver indicates
support for offloading SA Query procedures.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The TCP code path did not handle the postponed connection attempt on TX
status and the following result message from the Enrollee to the
Configurator. Fix this by adding TCP-versions of these operations to
match the way wpa_supplicant implemented this for the Public Action
frames.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This extends dpp_test functionality to allow DPP Network Introduction
exchanges to use an incorrect value in the Protocol Version attribute.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Use a separate ver=<1|2> parameter to DPP_PKEX_ADD instead of
overloading init=1 with version indication. This allows additional
options for forcing v1-only and v2-only in addition to automatic mode
(start with v2 and fall back to v1, if needed).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This extends hostapd with the design used in wpa_supplicant for PKEX
initiator retries and automatic version fallback from v2 to v1 (the
latter is enabled only with CONFIG_DPP3=y).
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Report TX status for DPP messages even if the destination address was
broadcast. This is needed to get appropriate trigger for PKEX retries.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The rx_freq of Public Action frame was not maintained by the GO and the
GO always sent the response on the operating channel. This causes
provision discovery failure when a P2P Device is sending a PD Request on
a 2.4 GHz social channel and the GO is responding on a 5 GHz operating
channel.
Save the rx_freq and use it for GO to sent the response. This extends
commit c5cc7a59ac ("Report offchannel RX frame frequency to hostapd")
to cover additional frame types.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
hostapd should update Supported Channel Width Set of HT Capability
Information field after channel switching done. Otherwise, it would
continue to use the old setting.
Signed-off-by: peterhuang <peterhuang@realtek.com>
Because ieee80211ac and ieee80211ax were not updated before channel
switch is done, hostapd didn't build the Channel Switch Wrapper element
when it switched from HT to bandwidth more than 40 MHz of VHT/HE. fix
this by allowing hostapd_eid_wb_chsw_wrapper() to determine internally
when the element needs to be added based on the new channel instead of
the old configuration.
Signed-off-by: peterhuang <peterhuang@realtek.com>
hostapd will build wrong beacon_after in hostapd_fill_csa_settings() if
it doesn't update ieee80211ac when channel switching.
Signed-off-by: peterhuang <peterhuang@realtek.com>
Allow mesh_fwding (dot11MeshForwarding) to be specified in a mesh BSS
config, pass that to the driver (only nl80211 implemented for now) and
announce forwarding capability accordingly.
Signed-off-by: José Pekkarinen <jose.pekkarinen@unikie.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
If min_tx_power is specified (default 0 dBm, i.e., no constraint), ACS
and DFS will not consider channels whose available max_tx_power is less
than the configured value.
This may be useful to exclude SRD (Short Range Device) channels which
may be limited to 13.9 dBm (25 mW) in some regulatory domains.
Signed-off-by: Alan Young <consult.awy@gmail.com>
Add support for PKEXv2 core protocol. This defines a new PKEX Exchange
Request message type with protocol negotiation and different rules for
key derivation with PKEXv2 or newer is used.
This does not change existing behavior for PKEX, i.e., the PKEXv1
variant will still be used by default.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow the dpp_test parameter to be used to request the Protocol Version
attributed to be omitted from the Peer Discovery Request/Response
message.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Verify that the Protocol Version attribute is used appropriate in Peer
Discovery Request/Response messages in cases where the signed Connector
includes the version information.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Generate Peer Discovery Request/Response messages using the protected
version from the Connector, if present, instead of the currently
supported protocol version which might be higher than the one that got
included into the signed Connector during provisioning earlier.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Reduced neighbor report has a field to indicate whether unsolicited
Probe Response transmission is active. Add a check to return failure if
both FILS discovery and unsolicited Probe Response are enabled at the
same time to ensure that RNR includes valid data.
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
When a Probe Request frame from a station includes an SSID matching that
of a co-located 6 GHz AP, AP should respond with a Probe Response frame
that includes Reduced Neighbor Report element containing information
regarding the requested BSS.
Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Update 2.4/5 GHz Beacon frames every time Beacon frames for co-located 6
GHz AP(s) are set. This is required for 6 GHz out-of-band discovery so
that lower band Beacon frames will include RNR element with 6 GHz AP
information irrespective of the AP bring-up order. Similarly, RNR is
included in FILS Discovery frames by default in 6 GHz-only mode,
updating the Beacon frames will remove it when co-located 2.4/5 GHz
interfaces are brought up.
This change also ensures that the changes in 6 GHz AP configuration such
as new channel and bandwidth get reflected in the lower bands Beacon
frames.
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Add Reduced Neighbor Report element in Beacon, Probe Response, and FILS
Discovery frames.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Include Reduced Neighbor Report element in Beacon and Probe Response
frames by default if the reporting AP is 2.4/5 GHz and it is co-located
with a 6 GHz AP. Similarly, include RNR by default in FILS Discovery
frames if the AP is a standalone 6 GHz AP.
Signed-off-by: John Crispin <john@phrozen.org>
Co-developed-by: Aloka Dixit <alokad@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Calculate the length and include data for the BSSes active on the same
radio as the reporting BSS in the Reduced Neighbor Report element. This
element is included in Beacon and Probe Response frames.
Signed-off-by: John Crispin <john@phrozen.org>
Co-developed-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org>
Co-developed-by: Muna Sinada <msinada@codeaurora.org>
Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Co-developed-by: Aloka Dixit <alokad@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Include data from the existing neighbor database in the Reduced Neighbor
Report element in Beacon frames if the configuration option 'rnr' is
enabled for the BSS.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Muna Sinada <msinada@codeaurora.org>
Co-developed-by: Aloka Dixit <alokad@codeaurora.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Adds configuration option 'rnr' to enable the reduced neighbor report
elements in Beacon and Probe Response frames.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Add a new field to include BSS Parameter subfield in the neighbor
database as described in IEEE Std 802.11ax-2021, Figure 9-632a (BSS
Parameters subfield format). This field holds information related to
multiple BSSID, access point co-location, and 20 TU probe response
active/inactive state.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
Calculate and store short SSID in hostapd_data context during config
load time and in neighbor report.
Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Aloka Dixit <alokad@codeaurora.org>
