For AP MLD cases, the link id is required to determine the correct link
to stop in the stop_ap() driver op.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
The check for the non-AP MLD link being valid can be done one level
outside the loop that tries to find a matching AP link.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
For non-AP MLDs, clear STA entry from all affiliated links.
For legacy non-MLO case, find association link to clear the STA entry.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
This adds initial parts for RADIUS/TLS support in the RADIUS client.
This can be used with eapol_test and hostapd. This functionality is not
included by default and CONFIG_RADIUS_TLS=y in .config can be used to
enable it.
This version does not yet include all the needed functionality for TLS
validation and the rules for dropping a TCP connection based on invalid
RADIUS attributes.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is only one connection in use in parallel to a RADIUS
authentication server (and similarly to a RADIUS accounting server). As
such, there is not really any need to maintain separate open IPv4 and
IPv6 sockets. Instead, open the socket for the appropriate IP version
only when actually connecting to a specific server.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need for passing the sock and sock6 parameters separately
since they were always the same values for auth == 0 or auth == 1 cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
ETHER_VLAN_ENCAP_LEN does not seem to be defined in macOS
net/ethernet.h, so define that, if needed, to avoid build issues.
Fixes: 5b21f4861c ("l2_packet_freebsd: Enable receiving priority tagged (VID=0) frames")
Signed-off-by: Jouni Malinen <j@w1.fi>
When the station (non-AP MLD) is associated with an AP MLD the link ID
for TDLS setup is derived from the discovery response frame and the link
ID is used in TDLS setup operation when acting as initiator. The driver
sends the received discovery response frame followed by the TDLS setup
request event. But the discovery response frame is received after the
setup request event leading to use incorrect link ID value for TDLS
setup operation causing the setup failure. Process the TDLS setup
request if the discovery response frame is received, else defer the
process until the discovery response frame is received and process the
setup request after discovery response frame is processed.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When the CHAN_SWITCH command is executed during multi BSSID case (say
BSS1, BSS2, and BSS3), if one of the BSS is disabled (say BSS2), the
CHAN_SWITCH command returns an error in BSS2 and does not proceed to the
next BSS (BSS3).
The CHAN_SWITCH command handler iterates over all configured BSSs and
attempts to send the switch_channel to each one. However, if any one of
the BSSs fails, the entire command is aborted and returns a failure.
Continue the iteration even if one BSS is failing to make sure the
configuration is applied to other BSSs.
Signed-off-by: Haribabu Krishnasamy <quic_hkr@quicinc.com>
During high battery voltage scenario, higher MCS data rate leads to poor
EVM accuracy which causes poor user experience. Hence to provide better
user experience, EVM accuracy needs to be improved by adjusting TX power
for MCS rate of specific band/radio chain. To achieve this, add a new
vendor command to configure required parameters in the WLAN driver.
Signed-off-by: Mukul Sharma <quic_mukul@quicinc.com>
Add hostapd support for interacting with the NAN discovery engine to
allow single-channel (i.e., the AP's operating channel) USD as Publisher
or Subscriber.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add wpa_supplicant support for interacting with the NAN discovery engine
to allow USD as Publisher or Subscriber.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add NAN discovery engine and wpa_supplicant interface to use it for the
subset of NAN functionality that is needed for USD.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This was missing a check for the Category field and could have matched
other Action frames than Public Action frames.
Fixes: 9c2b8204e6 ("DPP: Integration for hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.
wpa_supplicant has replaced the PMKID List contents from (Re)Association
Request frame with PMKR1Name when generating EAPOL-Key msg 2/4 for FT.
Allow it to be configured (ft_prepend_pmkid=1) to prepend the PMKR1Name
without removing the PMKIDs from (Re)Association Request frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.
hostapd used to require that only the PMKR1Name is included in the PMKID
List of RSNE in EAPOL-Key msg 2/4. Extend this to allow the PMKIDs that
were included in the (Re)Association Request frame to be present as long
as the correct PMKR1Name is also present. This would allow PMKSA caching
to be used in initial mobility domain association with supplicant
implementations that insert the PMKR1Name without removing the PMKIDs
used in the (Re)Association Request frame. wpa_supplicant did not use to
that, but other implementations might.
Signed-off-by: Jouni Malinen <j@w1.fi>
For some implementation, there is no link id in EAPOL event, e.g., use
drv_event_eapol_rx for receiving. Current design for such case is switch
to a link that stores the peer. However, this is error-prone because for
non-AP MLD case, sta_info is stored in all valid links but EAPOL sm is
only initialized in the association link. If EAPOL RX event is handled
in a non-association link, it will be discarded and this leads to EAPOL
timeout.
So find the association link to handle received EAPOL frame in such
case. This replaces the previously used workaround for RSN/wpa_sm for
the no link id specified case.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Disabling the first interface calls hapd_deinit(), which causes some
issues, e.g., failure when trying to disable other interfaces due to
NULL drv_priv.
So check that all other interfaces are already disabled before disable
the first interface.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Existing commands ENABLE/DISABLE only enable/disable the corresponding
link. To disable all links, multiple calls from different control
interfaces would be needed.
Add new commands "disable_mld" and "enable_mld" for hostapd_cli to
support disabling/enabling AP MLD for convenience.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
These control interface commands do not take any parameters and as such,
do not need to use a prefix match. Replace that with an exact string
match to avoid matching other potential command strings.
Fixes: 7554565299 ("hostapd: Add ctrl_iface for enabling/reloading/disabling interface")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When association is handled in hostapd, a non-AP MLD's info is stored in
all valid links. This should be the same when SME is offloaded to the
driver.
Also skip some operations that are already done by the driver
when SME is offloaded.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Return the result from the first hostapd_is_usable_chan() call instead
of the following attempts in case of ht40_plus_minus_allowed to have
consistent behavior with the case where only one option is specified.
This allows the fallback to 20 MHz to work in additional cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When ACS offloaded to the driver, the channel selected event carries
link id to specify the link if operating as AP MLD.
Find the specified link to handle this event.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
ACS is triggered per link, so link id is needed for the driver to handle
when the ACS operation is offloaded.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Use of ptk_len is not valid here to check what is the length of the
actual TK. Fix this by using ptk->tk_len instead so that the appropriate
decryption function can be selected for cases where the TKs are
configured through the PTK file.
Fixes: ce7bdb54e5 ("wlantest: Extend Management frame decryption to support GCMP and CCMP-256")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Now that run-tests.py closes the control interface sockets explicitly,
there is no need to try to avoid using dev[] within the D-Bus test
cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Close all the control interface sockets and delete the client socket
files explicitly at the end of the test loop. This removes needs for
various workarounds that tried to force WpaSupplicant and Ctrl class
__del__() to remove the sockets.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The same thing as we did previously in dbus_p2p_autogo_pbc
can evidently also happen in dbus_p2p_autogo.
The test here wants to connect and then disconnect again,
but it's driven only by the GO side, so the client may end
up (with UML time-travel) not fully connecting, and then
it all fails. Wait for the client to have connected first.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Currently, AID is not allocated properly in hostapd for legacy non-MLD
STA in case of an AP MLD. All such stations have same AID.
Fix this issue by allocating AID properly in hostapd when operating as
an AP MLD and the STA is not an MLD.
Fixes: d924be3bd0 ("AP: AID allocation for MLD")
Signed-off-by: Harish Rachakonda <quic_rachakon@quicinc.com>
This is an event indicating to the user space to disassociate with
peer based on the peer MAC address provided.
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
The test here wants to connect and then disconnect again, but it's
driven only by the GO side, so the client may end up (with UML
time-travel) not fully connecting, and then it all fails. Wait for the
client to have connected first.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
OpenSSL 3.2 added support for HPKE. Use that implementation when
possible. At least for now, the internal version needs to be included as
well to be able to cover the special DPP use case with brainpool curves.
Signed-off-by: Jouni Malinen <j@w1.fi>
The use of a MAC KDE in the Key Data field of an EAPOL-Key Request frame
was only for the STAKey handshake. That handshake was implemented in
2005 as an experimental functionality and it was then removed in 2006.
However, this part of the functionality was forgotten. This does not do
anything in practice, so simplify the implementation and remove it.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Encrypted Key Data field need to be set to 1 whenever using an AEAD
cipher. Without this, the Authenticator would discard the EAPOL-Key
request frame when using FILS.
Signed-off-by: Jouni Malinen <j@w1.fi>
EAPOL-Key request is accepted only if the MIC has been verified, so PTK
must have already been derived and Secure=1 needs to be used. Check the
Secure bit explicitly for completeness even though the MIC verification
is already taking care of validating that the sender is in the
possession of valid keys.
Signed-off-by: Jouni Malinen <j@w1.fi>
While the Authenticator state machine conditions are already checking
for sm->EAPOLKeyRequest, it seems clearer to explicitly discard any
EAPOL-Key Request frame that is received unexpectedly during a 4-way
handshake.
Signed-off-by: Jouni Malinen <j@w1.fi>