Commit graph

19696 commits

Author SHA1 Message Date
Jouni Malinen
be6e4279fa RSNO: Verify all RSNE/RSNXE variants in multi-link cases
Use the RSN Override Link KDE to include the override variants of the
RSNE/RSNXE for each link so that all variants are verifies when
processing the protected EAPOL-Key message 3/4.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 19:56:00 +03:00
Jouni Malinen
4d110b4f87 tests: More detailed error logging for RSN overriding with MLD
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 18:52:15 +03:00
Jouni Malinen
521374b978 RSNO: Include all RSNE/RSNXE variants in EAPOL-Key message 3/4
This allows all variants to be verified based on a protected frame to
achieve robust downgrade protection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 18:52:15 +03:00
Jouni Malinen
6f522baa1b RSNO: Use SNonce cookie to indicate support for RSN overriding
This provides an implicitly protected (SNonce is used as an input to PTK
derivation) mechanism for a STA to indicate support for RSN overriding
in a manner that does not cause interopability issues with deployed APs.

In addition, update sm->SNonce on the Authenticator only based on
message 2/4 since that is the only EAPOL-Key message that is defined to
provide the actual SNonce value. While clearing of this internal buffer
on message 4/4 might not cause issues, it is better to keep the actual
SNonce value here since the SNonce cookie can be used at a later point
in the sequence.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 12:16:05 +03:00
Jouni Malinen
62ca121f96 RSNO: Use the RSN Selection element to indicate which variant was used
This replaces the use of the RSNE Override and RSNE Override 2 elements
with empty payload to indicate which RSNE variant was used.

In addition, this adds stricter validation of the RSNE in
(Re)Association Request frame to allow only the pairwise cipher suites
and AKMs listed in the indicated RSNE variant to be used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 12:16:05 +03:00
Jouni Malinen
524c452153 RSNO: Remove unused override element generation
The separate RSNOE/RSNO2E/RSNXOE buffers were not actually used on the
Authenticator, so remove them.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 12:16:05 +03:00
Chenming Huang
13648dde91 FILS: Check for potential NULL return
hostapd_eid_assoc_fils_session() might return NULL if memory allocation
fails. This NULL value then will be used for invalid calculation and
cause unspecified behavior or be dereferenced unexpectedly. Avoid this
with an explicit check of the returned pointer.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-07-25 21:03:59 +00:00
Adil Saeed Musthafa
376adfea8d RSNO: Protect wpa_ie_buf3 from reuse explicitly
Use else-if check for better clarity regarding usage of wpa_ie_buf3 to
make it explicit that memory is allocated for this pointer only once.

Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
2024-07-25 21:03:51 +00:00
Jouni Malinen
4adf234cd3 RSNO: Remove override elements from EAPOL-Key msg 3/4
This was not done in case the STA did not use RSN overriding.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-25 19:22:00 +00:00
Jouni Malinen
9732c8b85c wlantest: Remove unused QoS handling from GCMP nonce generation
This was copied from CCMP, but is not needed (and can trigger compiler
warnings) with GCMP.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-25 00:39:30 +00:00
Jouni Malinen
e0053bf9d0 tests: Long extra KDE in EAPOL-Key msg 3/4
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-24 20:35:11 +00:00
Jouni Malinen
296104d35c Testing functionality to allow EAPOL-Key Reserved field to be set
The new hostapd configuration parameter eapol_key_reserved_random=1 can
be used for testing STA/Supplicant functionality to accept a random
value in the Reserved field within EAPOL-Key frames.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-24 17:22:42 +00:00
Jouni Malinen
2e4c612dd2 Allow RSNE/RSNXE/RSNOE/RSNO2E/RSNXOE to be replace for testing
This is convenient for testing STA behavior with various RSN element
combinations and special cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-24 01:01:29 +00:00
Jouni Malinen
bb61f6cb95 RSNO: Support over two octets of RSNXOE capabilities
The RSNXE generation function was extended to support this earlier, but
that update was missed from the RSNXOE variant.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-23 21:36:46 +00:00
Jouni Malinen
8b2ddfdbb6 RSNO: Allow RSNXE to be omitted
Add an explicit rsn_override_omit_rsnxe=1 configuration parameter to
allow the RSNXE to be omitted when using the RSNXOE and wanting to
minimize interoperability issues with STAs that might recognize the
RSNXE, but not handle it correctly, e.g., when multiple octets of
payload is included.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-23 21:20:45 +00:00
Hu Wang
92374d59d4 Enhance select_network() to trigger new scans in some cases
wpa_supplicant select_network() relies on fast_associate to reuse old
scan results. However, this approach does not apply in some cases in
Android:

1 - If the selected network is hidden, and the SSID is in Chinese,
Android switches between fallback SSIDs, necessitating a new scan for
switching between different hidden SSIDs.

2 - Similarly, if the selected SSID is OWE (Opportunistic Wireless
Encryption), and the OWE SSID bands have been changed, select_network()
requires a fresh scan to discover hidden OWE SSIDs.

To address these, enhance select_network() to trigger new scans instead
of relying on fast_associate. This improves network selection behavior
in Android.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-22 19:01:18 +00:00
Veerendranath Jakkam
ff99012d84 RSNO: Use correct MLO capability while fetching RSNE/RSNXE
Use current connection MLO capability to fetch the appropriate
RSNE/RSNXE variant while processing association event.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-22 18:50:24 +00:00
Veerendranath Jakkam
526ea193c8 Fallback to RSNXE when AP is not using valid RSN Overrding
wpa_supplicant was ignoring RSNXE also if the AP is not using valid
RSN overriding combination when the STA supports RSN overriding. Fix
this fallback to the RSNXE when AP is not using valid RSN overriding.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-22 18:48:20 +00:00
Vinay Gannevaram
4417b5ba86 Add QCA vendor interface to support Unsynchronized Service Discovery
Add a new QCA command QCA_NL80211_VENDOR_SUBCMD_USD and related
attributes to support Unsynchronized Service Discovery (USD).

Device in active subscriber role sends SDF frames with service
information to find devices that advertise or publish the required
services. Device address, operation type, instance id, service_id,
channel info, service specific info, element container attribute, and
timeout are sent to the driver to initiate USD publish or USD subscribe
operation. The driver sends QCA_NL80211_VENDOR_SUBCMD_USD event with
instance_id and the USD operation status. QCA_NL80211_VENDOR_SUBCMD_USD
is also used to update publish operation and to cancel the publish or
subscribe operation for a service. It also allows all the operations to
be terminated using the USD flush command.

Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
2024-07-20 21:00:21 +00:00
Jouni Malinen
8d54863550 tests: RSNE/RSNXE overriding
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
765c48d5ad RSNE/RSNXE overriding for STA
Add support for RSNE/RSNXE Override elements. Use these elements to
determine AP's extended RSN parameters.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
d0b55eb360 Make driver capabilities for AKM suites available within wpa_supplicant
In addition, add some of the previously missed AKM suites from the
default capabilities.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
5488e120d3 Use helper functions to access RSNE/RSNXE from BSS entries
This is a step towards allowing the contents of RSNE/RSNXE to be
overridden.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Veerendranath Jakkam
341bcb2b5c nl80211: Add a capability flag for RSN overriding
Add a new capability flag based on the nl80211 feature advertisement for
RSN overriding support.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-20 21:28:28 +03:00
Veerendranath Jakkam
6fad7224be Add QCA vendor feature flags to indicate RSN override elements support
Add a separate feature flag for STA mode to indicate support for RSN
override elements.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
157b016383 RSNE/RSNXE overriding for AP
Allow hostapd to be configured to advertised two separate sets of
RSNE/RSNXE parameters so that RSNE/RSNXE can use a reduced set of
capabilities (e.g., WPA2-Personal only) for supporting deployed STAs
that have issues with transition modes while the new override elements
can use a newer security option (e.g., WPA3-Personal only) for STAs that
support the new mechanism.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
b8a2d11ae0 Allow RSNXE Override element to override RSNXE contents during parsing
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
48ca68f6f8 Allow RSNE Override element to override RSNE contents during parsing
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
c16ac89be2 Add RSN overriding elements into IE parsing
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
6b0ce29d25 Define WFA vendor specific element types for RSNE/RSNXE overriding
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
e99cdfae41 The main branch is now used for v2.12 development
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-20 21:16:55 +03:00
Jouni Malinen
d945ddd368 Preparations for v2.11 release
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.10 and v2.11. Update the copyright years for the main
programs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-20 21:04:37 +03:00
Davide Caratti
aa2dfae5eb dbus: Fix memory leak with Bonjour params for a P2P UPnP service
Using D-Bus, it is possible to add a valid UPnP service where 'query'
and 'response' are specified. In this case, memory for 'query' and
'response' is allocated but not used nor freed. Valgrind complains as
follows:

 42 bytes in 1 blocks are definitely lost in loss record 32 of 75
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54F41A: wpas_dbus_handler_p2p_add_service (dbus_new_handlers_p2p.c:2762)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

 49 bytes in 1 blocks are definitely lost in loss record 37 of 75
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54F348: wpas_dbus_handler_p2p_add_service (dbus_new_handlers_p2p.c:2755)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

Fix this ensuring that query and resp are freed both in the error and
non-error path of wpas_dbus_handler_p2p_add_service(). Also, add a test
in test_dbus.py to verify the correct behavior.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2024-07-20 20:28:40 +03:00
David Ruth
70e5bad563 dbus: Fix SignalChange property
SignalChange should be defined as a property of an interface.
Previously, it was incorrectly defined as a property of P2P peers.

Fixes: 7a7ce95746 ("dbus: Emit more information over D-Bus")
Signed-off-by: David Ruth <druth@chromium.org>
2024-07-20 20:20:38 +03:00
Sunil Ravi
ed5887a8c9 Move NULL check for driver private data (drv_priv)
In the hostapd_cleanup_driver() function, the NULL check for the driver
private data (drv_priv) is located within the CONFIG_IEEE80211BE feature
flag. As a result, on platforms where CONFIG_IEEE80211BE is not defined,
driver->hapd_deinit(drv_priv) is called with drv_priv set to NULL. This
leads to a null pointer exception in wpa_driver_nl80211_deinit().

To address this issue, move the NULL check for drv_priv outside the
CONFIG_IEEE80211BE build flag. This ensures that the check is performed
regardless of the value of CONFIG_IEEE80211BE, preventing the NULL
pointer exception.

Fixes: df34c2ced3 ("AP MLD: De-initialize/disable link BSS properly")
Signed-off-by: Sunil Ravi <sunilravi@google.com>
2024-07-20 20:14:08 +03:00
Veerendranath Jakkam
c3d305d939 FT: Fix FTE MIC calculation with fragmented FTE
Currently wpa_ft_parse_ies() is setting FTE information to wpa_buf
pointer data which is generated after defragmentation. This data will
not contain FTE and Fragment element(s) headers.

IEEE P802.11be/D5.0 describes the MIC to be calculated on the
concatenation of FTE and corresponding Fragment element(s) which
implies the element headers are included for each element in the
fragmented case.

Fix this by correctly populating FTE information when FTE is
fragmented.

Fixes: 43b5f11d9 ("Defragmentation of FTE")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-15 10:51:44 -04:00
Michael-CY Lee
e7172e26d3 MLD STA: Find partner links by BSSID and SSID
Non-AP MLD finds AP MLD's partner links by BSSID from the scan results.
However, if the scan results contain BSSs with the same BSSID but
different BSS information, the non-AP MLD might assign a wrong BSS to
one of the AP MLD's partner links.

Avoids the problem by using both BSSID and SSID to find the AP MLD's
partner links.

Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2024-07-13 18:09:32 +03:00
marek@mazekey.pl
6809f2b955 tests: Check CSA between non DFS and DFS chan
Add test to validate CSA between non DFS channel
and DFS channel with different operating class.

Signed-off-by: Marek Kwaczynski <marek@mazekey.pl>
2024-07-13 18:09:32 +03:00
marek@mazekey.pl
816e22bba1 hostapd: Fix opclass during CSA with DFS channels
During CSA with DFS channels, disable, enable interface is a part of the
algorithm. When interface was enabled old operating class before switch
and new channel were used causing mismatch in
configured_fixed_chan_to_freq() function.

Example of log when switch from channel 157 to 108 was triggered:
"Could not convert op_class 124 channel 108 to operating frequency"

Fixes: bb781c763 ("AP: Populate iface->freq before starting AP")
Signed-off-by: Marek Kwaczynski <marek@mazekey.pl>
2024-07-13 18:09:32 +03:00
gasmibal@gmail.com
93a3c59ad9 Multi-AP: Honor wds_sta even with multi_ap
When multi_ap is active, hostapd creates an AP-VLAN interface for 4addr
stations, even though wds_sta is not configured.

A check should be added to determine if wds_sta is active before
re-enabling the WDS mode by creating an AP-VLAN for 4addr stations.

Signed-off-by: Baligh Gasmi <gasmibal@gmail.com>
2024-07-13 18:09:32 +03:00
Jouni Malinen
90344c323e tests: Set sta_wds in multi_ap_backhaul_shared_bss
This is needed to add the WDS interface for a STA with stricter
implementation checks.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-13 18:09:32 +03:00
Jouni Malinen
49fe24e6f5 tests: wpa_supplicant secure mesh and injected SAE messages
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-13 16:38:48 +03:00
Jouni Malinen
7d51bf2abd SAE: Drop default dot11RSNASAESync value from 5 to 3
Going through five extra rounds of SAE commit messages in cases where
SAE peers are somehow unsynchronized feels unnecessary much to do by
default, so drop the default value to 3.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-13 16:37:15 +03:00
Jouni Malinen
5da59ff1cd SAE: Disable protocol instance temporarily on sync error in mesh
Reduce the number of unwanted SAE commit retries in synchronization
error cases when Sync > dot11RSNASAESync in mesh cases by discarding
received SAE commit messages for 10 seconds after a sync error has been
detected.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-13 16:35:12 +03:00
Nicolas Escande
7b8517d197 nl80211: Fix AP scan with STA fallback error path
I've run into a case where I can bring a 2.4 GHz AP up without it being
in a bridge while I used the 'bridge=' config option. This happens when
the HT scan needed for 40 MHz operation failed to start from the get go
because another dev on the same phy was already in a scan. At the end
the AP is up and running but not added into any bridge.

Upon looking at the code, it seems that some hardware fails to issue a
scan while in AP and thus we have a fallback that switches the interface
from AP to STA before retrying another scan (it will change it back to
AP later on when finished). As we cannot have a (non-WDS) STA in a
bridge, during that procedure, we also remove/add the AP/STA from/to the
bridge as needed.

However, in wpa_driver_nl80211_scan() we do not set
drv->ap_scan_as_station until the end of the switch-to-sta &
retry-scan-start block. This means that when the recursive call to
wpa_driver_nl80211_scan() fails (the hardware is busy in my case) we
restore the interface to AP with wpa_driver_nl80211_set_mode() but that
will not add it back to the bridge. Problem.

To fix this lets always set drv->ap_scan_as_station before calling
wpa_driver_nl80211_set_mode(). In case wpa_driver_nl80211_set_mode() or
wpa_driver_nl80211_scan() fails lets call nl80211_restore_ap_mode() that
will set the mode back to AP but also handle the bridge thing as needed.

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2024-07-12 16:44:30 +03:00
Chien Wong
6ad59779c2 nl80211: NAN: Register multicast action frames if possible
The USD passive subscriber and solicited transmission only publisher
require receiving multicast NAN action frames in order to work.
Currently, we are not requesting to receive multicast when
registering NAN action frames. As a result, USD passive subscribe or
solicited only publish may not work.

The NL80211_ATTR_RECEIVE_MULTICAST attribute corresponds to wiphy
ext feature NL80211_EXT_FEATURE_MULTICAST_REGISTRATIONS, which
requires driver support and only a few drivers in the kernel tree
support it. Namely ath9k, ath9k_htc, ath10k and hwsim. We should
fall back to register non multicast action frames if the driver
has no support.

It was confirmed that ath9k_htc starts to work after the changes.

Note that even without requesting to receive multicast Action
frames, some drivers would still upload them. For example, rtl8192cu
and hwsim. This is why test cases like test_nan_usd_match would not
fail.

Tested-on: TP-LINK TL-WN821N v3(AR7010+AR9287, ath9k_htc)
Signed-off-by: Chien Wong <m@xv97.com>
2024-07-12 16:40:48 +03:00
Chien Wong
f250c34d10 tests: NAN: Check USD publish type
Signed-off-by: Chien Wong <m@xv97.com>
2024-07-12 16:37:15 +03:00
Chien Wong
92829d8bee NAN: Reject undefined publish type
The Wi-Fi Aware Specification v4.0 only defines unsolicited
transmissions only, solicited transmissions only and both unsolicited
and solicited transmissions publish. The other possibility is undefined
so we should reject it.

Signed-off-by: Chien Wong <m@xv97.com>
2024-07-12 16:37:01 +03:00
Chien Wong
44f20382cc NAN: Fix a typo in USD doc
The 'req_instance' parameter in transmit command should be
'req_instance_id'.

Fixes: e3f9ab3c3a ("NAN: USD in wpa_supplicant")
Signed-off-by: Chien Wong <m@xv97.com>
2024-07-12 16:34:56 +03:00
Michael-CY Lee
7c935eef36 nl80211: AP MLD: Reassign drv->ctx correctly to prevent hostapd crash
When the first link is deleted and there are still remaining links,
drv->ctx should be updated to the new default link on the bss.
Otherwise, drv->ctx points to the address that has already been freed
and makes hostapd crash.

Fixes: d2b62b3fe5 ("AP MLD: Support link removal before removing interface")
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2024-07-12 15:20:44 +03:00