OBSS scan can be required in different links if operating as an AP MLD.
When triggering scan, specify the link ID for the driver to find the
correct link to scan.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
If the driver provides an identifying cookie value for scan operations,
use that to select which link processes the scan result. This is needed
for OBSS scans that can be required in different links if operating as
an AP MLD. Distinguish the scans using scan_cookie for QCA vendor scan
events.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
In AP MLD case, HT scan results need to be handled in the link that
triggered this scan. So find the link that has a valid scan_cb to handle
EVENT_SCAN_RESULTS.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Modules that use libpasn for PASN authentication need the context of
PASN data. PASN data is a common context for the library and the modules
using it. Hence, initialize the context through init and deinit
functions. Also use set and get functions to update the parameters.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PMKSA cache API is included in libpasn.so used by external modules,
e.g., Wi-Fi Aware. To avoid dependency on IEEE8021X_EAPOL define for the
external modules at compile time, remove PMKSA cache static inline
functions from the header file and add wrapper function stubs.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
PTKSA cache API is included in libpasn.so used by external modules,
e.g., Wi-Fi Aware. To avoid dependency on CONFIG_PTKSA_CACHE define for
the external modules at compile time, remove PTKSA cache static inline
functions from the header file and add wrapper function stubs.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add the Extended Capabilities element for a non-TX BSS into the non-TX
BSSID profile subelement in the Multiple BSSID element if the non-TX BSS
has different extended capabilities than the TX BSS.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a new attribute QCA_WLAN_VENDOR_ATTR_AVOID_FREQUENCY_IFINDEX
for QCA_NL80211_VENDOR_SUBCMD_AVOID_FREQUENCY_EXT subcommand to
apply rules for avoid frequencies on a specific netdev. This is a
32-bit unsigned optional attribute.
Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
This reverts commit bffd2b3994.
Revert this commit to fix a regression when setting up P2P Group Owner
on some old device.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The OpenSSL 3.0 (or newer) version of omac1_aes_vector() did not free
the EVP_MAC. This resulted in a memory leak that shows up in a bit
strange way in valgrind reports and because of that, was not caught
during automated testing.
Fixes: 0c61f6234f ("OpenSSL: Implement CMAC using the EVP_MAC API")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The first link BSS was always disabled last. However, now the first BSS
can be dynamically adjusted. Hence, remove such restriction.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Whenever ap_free_sta() was called, it deleted the whole station entry
from the kernel as well. However, with MLD stations, there is a
requirement to delete only the link station.
Add support to remove the link station alone from an MLD station. If the
link going to be removed is the association link, the whole station
entry will be removed.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
When the first link BSS of an interface was de-initialized/disabled, the
whole MLD was brought down. All other links were stopped beaconing and
links were removed. And if the non-first link BSS was
de-initialized/disabled, nothing happened. Even beaconing was not
stopped which is wrong.
Fix this by properly bringing down the intended link alone from the
interface.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Previously, hostapd directly advertised the MLD capabilities received
from the driver. Since this information is exchanged during
initialization time only, the driver will advertise the maximum
supported values. hostapd should parse it and then based on the current
situation fill the values accordingly.
For example, the maximum number of simultaneous links is supposed to be
a value between 0 and 14, which is the number of affiliated APs minus 1.
The driver advertises this value as 5 and hostapd, irrespective of the
current active links, puts 5 in the frames.
Fix this by parsing the value from the driver capabilities and then
using the values as per the current situation of the links. The
advertised values will be used as the upper limit.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
If one or more BSS from the interface is partnering with BSSs from
another interface and if this interface gets disabled, the Beacon frames
need to be refreshed for other interfaces. Similar thing should happen
when it gets enabled.
Add logic to refresh other interface Beacon frames when one of the
interfaces is disabled or enabled.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Previously, whenever if_remove() was called, the whole interface was
deleted. In an AP MLD, all partner BSS use the same driver private
context and hence removing the interface when only one of the links goes
down should be avoided.
Add a helper function to remove a link first whenever if_remove() is
called. Later while handling it, if the number of active links goes to
0, if_remove() would be called to clean up the interface.
This helper function will be used later when co-hosted AP MLD support is
added and as well later during ML reconfiguration support.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
When the interface was removed, the added links were not removed. While
removing the interface, kernel has removed the stale links but hostapd
has not. This is wrong since hostapd should remove and do the clean ups
properly while removing the interface.
Hence, remove the links when interface is removed.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Construct the nl80211 remove link command using the per-BSS approach
instead of per-driver (drv->first_bss).
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
nl80211_remove_links() iterated over all active links in the given BSS
and removed all of them. However, at times it is required to remove only
one link and not all links.
Add a helper function nl80211_remove_link() which will remove just the
given link_id from the passed BSS. nl80211_remove_links() will use this
and will call this for each of the active links to be removed.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
wpa_driver_nl80211_set_ap() called nl80211_put_freq_params() twice if AP
is an AP MLD. It called once while putting the MLO link ID and the other
time in the normal flow if frequency info is present. Doing this twice
is not required.
Call put_freq once during the normal flow only and separately of that,
add the link ID for AP MLD.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
This call was added within a conditional CONFIG_IEEE80211AX block even
though this can apply without that build option. Move this outside that
conditional block.
Fixes: b3921db426 ("nl80211: Add frequency info in start AP command")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Cache the corresponding hostapd_data struct context into the link entry
within the driver wrapper. This will be useful for driver events
callback processing.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Currently, whenever a new BSS is created, if it is an EHT BSS it is tied
to a corresponding MLD structure. If the structure does not exist
already, a new one is created and tied to it. Accordingly, the link ID
is assigned as well. However, when the BSS is deleted, the MLD structure
is not freed and when it is again created the next time, the link ID is
incremented further and the BSS gets a wrong link ID.
For example, 2.4 GHz single link AP MLD case: First ADD, link ID 0 would
be assigned and MLD interface wlan0 would be created. When REMOVE is
issued, the BSS would be deleted but MLD wlan0 will not. When ADD is
issued again, the BSS will tie back to MLD wlan0 but this time the link
ID will be incremented again and 1 would be assigned. Hence, at
subsequent REMOVE/ADD, the link ID keeps on incrementing.
Since the link ID remains same for the full lifetime of the BSS and MLD,
the next link ID counter cannot be just reset back to 0 when a BSS is
deleted. Otherwise, in interleaved link enable/disable case, the link ID
would be changed.
To overcome this situation, whenever a BSS is deleted, if the MLD is not
referenced by any other existing BSS, delete the MLD structure itself.
To know how many BSSs are referring a given MLD, introduce a new member
refcount in MLD. If the value is 0 it is safe to delete the MLD.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Link ID was assigned when BSS is going through setup and the driver
interface init. Later if interface is disabled and enabled again, setup
BSS is called which will give a new link ID to it. However, Link ID
should be same for a BSS affliated to an AP MLD for the full lifetime of
the BSS.
Hence, assign the link ID during BSS creation itself. And it will remain
until BSS entry is completely freed. Hence, link ID will not change as
part of disable/enable.
Also, since link ID would be decided now, it will help in creating link
level control sockets in a subsequent patch.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
MLD level structure is present to store the MLD level information.
Add changes to use the MLD structure instead of link specific struct
hostapd_data to get/set the MLD level information.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
MLD level information like MLD MAC address, next link ID, etc. was
stored in each BSS. However, only the first link BSS assigns values to
these members and the other link BSSs store references to the first BSS.
However, if the first BSS is disabled, the first BSS reference in all
BSS should be updated which is an overhead. Also, this does not seem to
scale.
Instead, a separate MLD level structure can be maintained which can
store all this ML related information. All affiliated link BSSs can keep
reference to this MLD structure.
This commit adds that MLD level structure. However, assigning values to
it and using that instead of BSS level members will be done in
subsequent commits.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
mld_id was provided as a user configuration to identify partner BSS
belonging to the same AP MLD. The same id is used at the protocol level
also to indicate the AP MLD ID of the MLD.
But, in general mld_id is a relative reference of the MLD where 0 is
used as the mld_id to represent the self MLD and in case of MLO MBSSID
mld_id of a non transmitted BSS affiliated to an AP MLD is based on the
relative BSS index of the non transmitted BSS from the transmitted BSS.
Hence mld_id need not be fetched from users, rather it can be identified
wherever required.
To verify if the partners belong to the same AP MLD the interface name
can be checked, since all link BSS partners of the same AP MLD belong to
the same interface.
Hence, remove use of mld_id user config and instead introduce two
functions hostapd_is_ml_partner() and hostapd_get_mld_id(). The former
is used to verify whether partners belong to the same AP MLD and the
latter is used to get the MLD ID of the BSS.
Signed-off-by: Sriram R <quic_srirrama@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
In the code review, it was found that param->freq is accessed without
NULL check in wpa_driver_nl80211_set_ap(), while in other sections of
the code, freq is accessed only after NULL validation. This situation
could result in a segmentation fault at least in theory.
Add a NULL check for freq before accessing it to be consistent with the
other uses.
Fixes: 0c6c948047 ("nl80211: Support setting up an AP on a specified link")
Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com>
mlme_event() calls nl80211_get_link_id_by_freq() to determine the link
to handle reported events. However, in channel switch event it is always
setting freq to the default link that leads to the issue that all other
events that go to mlme_event() will be handled in the default link.
Fix this by setting freq to the correct link specified by the link ID
when processing the event for a completed channel switch.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
The NL80211_CMD_DEL_BEACON command was always sent to the main interface
of the radio instead of the desired BSS interface, e.g., when sending a
STOP_AP control interface command from upper layer.
Signed-off-by: Nikita Chernikov <nchernikov@maxlinear.com>
Define attribute QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_LINK_ID in
enum qca_wlan_vendor_attr_ratemask_params to configure ratemask
per MLO link. If the attribute is not provided, ratemask will be
applied for setup link.
Signed-off-by: Shailendra Singh <quic_shasing@quicinc.com>
Add a new QCA vendor sub-command
QCA_NL80211_VENDOR_SUBCMD_SPECTRAL_SCAN_COMPLETE which will be used as a
netlink event to indicate the completion of a spectral scan request.
This event can also be sent incase of the spectral scan request timeout.
To be able to configure the timeout the value, add a new vendor
attribute QCA_WLAN_VENDOR_ATTR_SPECTRAL_SCAN_COMPLETION_TIMEOUT in
enum qca_wlan_vendor_attr_spectral_scan.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a vendor attribute QCA_WLAN_VENDOR_ATTR_SPECTRAL_DATA_TRANSPORT_MODE
to indicate the current spectral data transport mechanism to be used to
get spectral scan samples from the driver to userspace.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When wpa_supplicant needed to update the internal BSS table with the
latest scan results from the driver, it fetched all BSSs and processed
them all. This is unnecessary for cases where an update is needed only
for a specific BSS. Optimize this by filtering out the unnecessary
entries from the results.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Update EAP-WSC parameters to include Multi-AP profile info to pass the
profile information through the provisioning steps. This is needed for
provisioning the STA configuration when different profiles are used.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
Add support to fill "multi_ap_vlanid" info to the hostapd config file.
Add the Multi-AP Default 802.1Q Setting subelement into Multi-AP element
generating and parsing.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
Add a new config option "multi_ap_client_disallow" to control allowing
backhaul STA with certain profiles alone to associate. This is done to
adhere to Wi-Fi EasyMesh specification which defined rules to
allow/disallow association of backhaul STA of certain profiles.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
Allow both hostapd and wpa_supplicant to be configured with the
supported Multi-AP profile. The configured value will be advertised in
the Multi-AP element.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
This makes it more convenient to handle extensions to the element and
allows code to be shared between hostapd and wpa_supplicant.
Signed-off-by: Manoj Sekar <quic_sekar@quicinc.com>
Replace the hardcoded buffer length with the actually number of
remaining bytes on the buffer. This is needed to be able to do real
buffer size validation within add_multi_ap_ie().
Furthermore, make hostapd_eid_multi_ap() static since it is not used
outside this file.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
To implement an action script that listens for DPP push button events
and for example blinks a LED it is useful to know when push button has
started. Emit an event when push button starts.
Signed-off-by: Evan Benn <evan.benn@morsemicro.com>
This is needed to allow some cases where puncturing prevents HT/VHT/HE
from using the full channel bandwidth.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is needed to be able to check validity of the channel parameters
for cases where EHT puncturing impacts what can be enabled for
HT/VHT/HE.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The testing functionality for overriding EHT puncturing bitmap was
applied only for the EHT elements. The mac80211 has been updated to
enforce compartibility between EHT and HT/VHT information and that made
the related test cases fail. Apply the override value for VHT element
generation to avoid some of those issues.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
A previous workaround was used to move the special operating class 130
to the end of the Supported Operating Classes element to avoid getting
any following entry being ignored or misunderstood. That is not really
the correct way of encoding the special cases, i.e., 80+80 MHz channels
that use two nonadjacent frequency segments.
Add support for encoding the 80+80 MHz channel with the 2-octet
operating class design using the Operating Class Duple sequence field of
the Supported Operating Classes element instead of listing the operating
classes that have the 80+ behavior limit set indication in Table E-4
(i.e., opclass 130 and 135) as 1-octet operating classes in the
Operating Classes field.
Fixes: a92660a00e ("Work around Supported Operating Classes element issues for 6 GHz")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit 085a3fc76e ("EHT: Add 320 channel width support") added this in
various places, but it did not cover everything. Extend this support to
be more complete. In particular, this allows wpa_supplicant to report
the operating class 137 in the Supported Operating Classes element and
to use it when processing beacon requests.
Signed-off-by: Ainy Kumari <quic_ainykuma@quicinc.com>
short_ssid in the own neighbor report might get out of sync, causing
advertising RNR element based on the old SSID, when SSID is changed
either with control interface command SET or with SIGHUP. Therefore,
sync the own report entry by removing the old entry and setting own
report again if the short SSID value has changed.
Signed-off-by: Nikita Chernikov <nchernikov@maxlinear.com>
Once the non-AP MLD is added to the driver, the driver handles the
address translation so that hostapd receives Management frames with
SA/DA being translated into MLD MAC addresses.
If the Authentication frmae is retransmitted with transaction being 1,
SA of the retransmitted Authentication frame is translated into the MLD
MAC address by the driver, and then in the function handle_auth(),
sta->mld_info.links[].peer_addr would be replaced by the MLD MAC address
even though it is supposed to be the link address.
Therefore, update the MLD information only when the STA has not yet been
added into the driver to avoid replacing the previously determined link
address with the MLD MAC address.
Fixes: bcbe80a66 ("AP: MLO: Handle Multi-Link element during authentication")
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
In theory, os_snprintf() could return a negative value and as such,
os_snprintf_error() should be used in all cases where the buffer might
not be large enough.
Signed-off-by: Jouni Malinen <j@w1.fi>
The event indicating expiration of an offchannel TX is useful for cases
where the wait is for a frame that was explicitly requested to have the
pending cookie to be saved.
Signed-off-by: Jouni Malinen <j@w1.fi>
Most places in the codebase use a valid_links bitmask with an array.
Switch the bss->links array to use the same design with the Link ID
being used as the array index instead of having a link_id inside.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
This was done using the below semantic patch. There are a few more
places that were missed due to variable declarations or additional
checks in the for loop.
@@
iterator name for_each_link;
identifier max_links =~ "MAX_NUM_MLD_LINKS|MAX_NUM_MLO_LINKS";
expression links;
expression further_tests;
identifier i;
statement stmt;
@@
-for (i = 0; i < max_links; i++)
+for_each_link(links, i)
{
(
- if (!(links & BIT(i)))
- continue;
...
|
- if (!(links & BIT(i)) || further_tests)
+ if (further_tests)
continue;
...
|
- if (further_tests || !(links & BIT(i)))
+ if (further_tests)
continue;
...
|
- if (links & BIT(i))
stmt
|
- if (further_tests && (links & BIT(i)))
+ if (further_tests)
stmt
|
- if ((links & BIT(i)) && further_tests)
+ if (further_tests)
stmt
)
}
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
This is a simple macro iterating the given bitmask using the given
variable. Having the macro avoids the for loop-continuation making it
more readable overall.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
In some places the wrong index variable was used to access the link
configuration. Fix this by simply using link_id instead of i.
With this, the i loop variable is not needed anymore. We can simply
always pass 0 to nla_nest_start(). Also, the kernel does not care about
the order that the links are provides, so just remove the special
handling for the association link.
Fixes: a2c4c0b1b6 ("nl80211: Support MLD association request")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
When a device supports both the 5 GHz band and the 6 GHz band,
these are reported as two separate modes, both with mode set to
HOSTAPD_MODE_IEEE80211A. However, as these are different modes,
each with its own characteristics, e.g., rates, capabilities etc.,
specifically differentiate between them by adding a flag to indicate
whether the mode describes a 6 GHz band capabilities or not.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
When wpa_supplicant assigns the IP address (WFA EAPOL IP address
allocation feature), the assigned IP address of the P2P Client on the GO
side is notified in the AP-STA-CONNECTED event. So to obtain the IP info
to external programs, modify the STA authorized event to include the the
assigned IP address of the P2P Client.
Test: Establish P2P connection and verified from the logs that
the P2P Client IP address is notified.
Signed-off-by: Sunil Ravi <sunilravi@google.com>
For AP MLD cases, the link id is required to determine the correct link
to stop in the stop_ap() driver op.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
The check for the non-AP MLD link being valid can be done one level
outside the loop that tries to find a matching AP link.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
For non-AP MLDs, clear STA entry from all affiliated links.
For legacy non-MLO case, find association link to clear the STA entry.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
This adds initial parts for RADIUS/TLS support in the RADIUS client.
This can be used with eapol_test and hostapd. This functionality is not
included by default and CONFIG_RADIUS_TLS=y in .config can be used to
enable it.
This version does not yet include all the needed functionality for TLS
validation and the rules for dropping a TCP connection based on invalid
RADIUS attributes.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is only one connection in use in parallel to a RADIUS
authentication server (and similarly to a RADIUS accounting server). As
such, there is not really any need to maintain separate open IPv4 and
IPv6 sockets. Instead, open the socket for the appropriate IP version
only when actually connecting to a specific server.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need for passing the sock and sock6 parameters separately
since they were always the same values for auth == 0 or auth == 1 cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
ETHER_VLAN_ENCAP_LEN does not seem to be defined in macOS
net/ethernet.h, so define that, if needed, to avoid build issues.
Fixes: 5b21f4861c ("l2_packet_freebsd: Enable receiving priority tagged (VID=0) frames")
Signed-off-by: Jouni Malinen <j@w1.fi>
When the station (non-AP MLD) is associated with an AP MLD the link ID
for TDLS setup is derived from the discovery response frame and the link
ID is used in TDLS setup operation when acting as initiator. The driver
sends the received discovery response frame followed by the TDLS setup
request event. But the discovery response frame is received after the
setup request event leading to use incorrect link ID value for TDLS
setup operation causing the setup failure. Process the TDLS setup
request if the discovery response frame is received, else defer the
process until the discovery response frame is received and process the
setup request after discovery response frame is processed.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When the CHAN_SWITCH command is executed during multi BSSID case (say
BSS1, BSS2, and BSS3), if one of the BSS is disabled (say BSS2), the
CHAN_SWITCH command returns an error in BSS2 and does not proceed to the
next BSS (BSS3).
The CHAN_SWITCH command handler iterates over all configured BSSs and
attempts to send the switch_channel to each one. However, if any one of
the BSSs fails, the entire command is aborted and returns a failure.
Continue the iteration even if one BSS is failing to make sure the
configuration is applied to other BSSs.
Signed-off-by: Haribabu Krishnasamy <quic_hkr@quicinc.com>
During high battery voltage scenario, higher MCS data rate leads to poor
EVM accuracy which causes poor user experience. Hence to provide better
user experience, EVM accuracy needs to be improved by adjusting TX power
for MCS rate of specific band/radio chain. To achieve this, add a new
vendor command to configure required parameters in the WLAN driver.
Signed-off-by: Mukul Sharma <quic_mukul@quicinc.com>
Add hostapd support for interacting with the NAN discovery engine to
allow single-channel (i.e., the AP's operating channel) USD as Publisher
or Subscriber.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add wpa_supplicant support for interacting with the NAN discovery engine
to allow USD as Publisher or Subscriber.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add NAN discovery engine and wpa_supplicant interface to use it for the
subset of NAN functionality that is needed for USD.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This was missing a check for the Category field and could have matched
other Action frames than Public Action frames.
Fixes: 9c2b8204e6 ("DPP: Integration for hostapd")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.
wpa_supplicant has replaced the PMKID List contents from (Re)Association
Request frame with PMKR1Name when generating EAPOL-Key msg 2/4 for FT.
Allow it to be configured (ft_prepend_pmkid=1) to prepend the PMKR1Name
without removing the PMKIDs from (Re)Association Request frame.
Signed-off-by: Jouni Malinen <j@w1.fi>
The standard is somewhat unclear on whether the PMKIDs used in
(Re)Association Request frame (i.e., potential PMKIDs that could be used
for PMKSA caching during the initial mobility domain association) are to
be retained or removed when generating EAPOL-Key msg 2/4.
hostapd used to require that only the PMKR1Name is included in the PMKID
List of RSNE in EAPOL-Key msg 2/4. Extend this to allow the PMKIDs that
were included in the (Re)Association Request frame to be present as long
as the correct PMKR1Name is also present. This would allow PMKSA caching
to be used in initial mobility domain association with supplicant
implementations that insert the PMKR1Name without removing the PMKIDs
used in the (Re)Association Request frame. wpa_supplicant did not use to
that, but other implementations might.
Signed-off-by: Jouni Malinen <j@w1.fi>
For some implementation, there is no link id in EAPOL event, e.g., use
drv_event_eapol_rx for receiving. Current design for such case is switch
to a link that stores the peer. However, this is error-prone because for
non-AP MLD case, sta_info is stored in all valid links but EAPOL sm is
only initialized in the association link. If EAPOL RX event is handled
in a non-association link, it will be discarded and this leads to EAPOL
timeout.
So find the association link to handle received EAPOL frame in such
case. This replaces the previously used workaround for RSN/wpa_sm for
the no link id specified case.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Disabling the first interface calls hapd_deinit(), which causes some
issues, e.g., failure when trying to disable other interfaces due to
NULL drv_priv.
So check that all other interfaces are already disabled before disable
the first interface.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
When association is handled in hostapd, a non-AP MLD's info is stored in
all valid links. This should be the same when SME is offloaded to the
driver.
Also skip some operations that are already done by the driver
when SME is offloaded.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Return the result from the first hostapd_is_usable_chan() call instead
of the following attempts in case of ht40_plus_minus_allowed to have
consistent behavior with the case where only one option is specified.
This allows the fallback to 20 MHz to work in additional cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When ACS offloaded to the driver, the channel selected event carries
link id to specify the link if operating as AP MLD.
Find the specified link to handle this event.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
ACS is triggered per link, so link id is needed for the driver to handle
when the ACS operation is offloaded.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
Currently, AID is not allocated properly in hostapd for legacy non-MLD
STA in case of an AP MLD. All such stations have same AID.
Fix this issue by allocating AID properly in hostapd when operating as
an AP MLD and the STA is not an MLD.
Fixes: d924be3bd0 ("AP: AID allocation for MLD")
Signed-off-by: Harish Rachakonda <quic_rachakon@quicinc.com>
This is an event indicating to the user space to disassociate with
peer based on the peer MAC address provided.
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
OpenSSL 3.2 added support for HPKE. Use that implementation when
possible. At least for now, the internal version needs to be included as
well to be able to cover the special DPP use case with brainpool curves.
Signed-off-by: Jouni Malinen <j@w1.fi>
The use of a MAC KDE in the Key Data field of an EAPOL-Key Request frame
was only for the STAKey handshake. That handshake was implemented in
2005 as an experimental functionality and it was then removed in 2006.
However, this part of the functionality was forgotten. This does not do
anything in practice, so simplify the implementation and remove it.
Signed-off-by: Jouni Malinen <j@w1.fi>
The Encrypted Key Data field need to be set to 1 whenever using an AEAD
cipher. Without this, the Authenticator would discard the EAPOL-Key
request frame when using FILS.
Signed-off-by: Jouni Malinen <j@w1.fi>
EAPOL-Key request is accepted only if the MIC has been verified, so PTK
must have already been derived and Secure=1 needs to be used. Check the
Secure bit explicitly for completeness even though the MIC verification
is already taking care of validating that the sender is in the
possession of valid keys.
Signed-off-by: Jouni Malinen <j@w1.fi>
While the Authenticator state machine conditions are already checking
for sm->EAPOLKeyRequest, it seems clearer to explicitly discard any
EAPOL-Key Request frame that is received unexpectedly during a 4-way
handshake.
Signed-off-by: Jouni Malinen <j@w1.fi>
There is no need to try to process the EAPOL-Key frame if it has an
unexpected Key Descriptor Version value. Move these checks to happen
earlier in the sequence. In adition, use a separate helper function for
this to simplify wpa_receive() a bit.
Signed-off-by: Jouni Malinen <j@w1.fi>
Check that the EAPOL-Key frame Key Descriptor Version value is one of
the defined values explicitly instead of failing to process the Key Data
field later (or end up ignoring the unexpected value if no processing of
Key Data is needed).
Signed-off-by: Jouni Malinen <j@w1.fi>
IEEE Std 802.11-2020 describes the rule based on not-TKIP for value 2
and no pairwise cipher condition on value 3, so use that set of more
generic rules here.
Signed-off-by: Jouni Malinen <j@w1.fi>
In hostapd_set_freq_params(), if center_segment0 is 2, call
ieee80211_chan_to_freq() with operating class 136 instead of 131.
This is needed because, channel 2 is an exception in the 6 GHz band. It
comes before channel 1 and is part of operating class 136.
Channels order in 6 GHz:
2 (Operating Class 136)
1 5 9 .... (Operating Class 131)
Signed-off-by: Thirusenthil Kumaran J <quic_thirusen@quicinc.com>
Add a new attribute for
%QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION subcommand. This
attribute is an 8 bit unsigned value used to specify whether an
associated peer is a QCA device.
Signed-off-by: Muna Sinada <quic_msinada@quicinc.com>
If a GAS response is received for a pending SD query, process it even if
the TX status event for the query has not yet been received. It is
possible for the TX status and RX events to be reordered especially when
using UML time-travel, so this is needed to avoid race conditions to
make SD more robust.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
If both 6 GHz and S1G channels are included, the previously used timeout
was not long enough at least with mac80211_hwsim. Increase the initial
timeout to allow such a scan to be completed.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This makes it a bit easier to understand what happens with random
channel selection after radar detection.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
QCA_WLAN_VENDOR_ATTR_CONFIG_AP_ALLOWED_FREQ_LIST needs be to set per
link if operating as an AP MLD.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
It looks like best might be NULL in some cases, so check for this
explicitly before trying to dereference it for a debug print.
Fixes: 733de85680 ("ACS: Fix not selecting the best channel in the segment")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
key_data_buf is already freed on the common exit path, so do not try to
free it here on error.
Fixes: 4abc37e67b ("Support Key Data field decryption for EAPOL-Key msg 2/4 and 4/4")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
src/ap/ap_config.c is not really supposed to call directly into a
function in hostapd/config_file.c. Furthermore, the wrapper through
ap_config.c did not really have any real value since it just called a
function that is within hostapd/*.c and that wrapper was called from
hostapd/*.c.
Instead of the wrapper, just call the function directly within the
hostapd directory.
Fixes: 392114a179 ("FT: Add dynamic reload of RxKH definitions from file")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
peerkey from EVP_PKEY_new() needs to be freed on all error paths.
Fixes: b062507670 ("OpenSSL: Implement crypto_ecdh routines without EC_KEY for OpenSSL 3.0")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
If the driver fetch for the current sequency number fails, do not try to
print the value in a debug print without having cleared it.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Radar detection event could have resulted in the driver interface
instance getting deinitialized and the related memory freed in the
middle of the loop. This was not an issue when the event was passed only
into a single interface, but it became an issue when the loop tried to
send it to all interfaces. If the driver were removed, that loop check
would have used freed memory. Avoid this by explicitly checking that the
driver interface instance is still valid.
Fixes: f136837202 ("nl80211: Pass wiphy events to all affected interfaces")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The TX status handler for DPP Authentication Confirm message might have
resulted in use-after-free if the start of a GAS query were to fail,
e.g., due to being somehow unable to transmit the initial request. Avoid
this by explicitly confirming that the authentication session was not
removed.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The current connection (struct dpp_connection) might get removed during
the dpp_tcp_send_msg() call, so the code setting the
on_tcp_tx_complete_remove flag needs to check whether that happened to
avoid a potential use-after-free.
Fixes: 33cb47cf01 ("DPP: Fix connection result reporting when using TCP")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When removing the bootstrap info for the PB context, all the possible
pointers to that information needs to be cleared to avoid accesses to
freed memory.
Fixes: 37bccfcab8 ("DPP3: Push button bootstrap mechanism")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
When the privacy protected itentity is used for EAP-SIM/AKA, the buffer
containing the identity was freed just before its use. Fix that by
reordering the operations.
Fixes: 881cb4198b ("EAP-SIM/AKA peer: Simplify identity selection for MK derivation")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
nl_socket_get_cb() increases cb_refcnf for the cb that is bound to a
socket and as such, nl_cb_put() needs to be used with the returned cb
after having cloned it to avoid leaking memory due to cb_refcnt never
getting back to 0.
Fixes: da0d51fee7 ("nl80211: Use socket cb instead of global->nl_cb in send_and_recv()")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The OpenSSL 3.x version of crypto_ec_key_parse_priv using
OSSL_DECODER_CTX missed the call to free the context. Fix it to avoid a
memory leak.
Fixes: 4f4479ef9e ("OpenSSL: crypto_ec_key_parse_{priv,pub}() without EC_KEY API")
Signed-off-by: Jouni Malinen <j@w1.fi>
Use smaller variables when possible and reorder the variables to avoid
unnecessary padding. This drops struct mld_link_info size from 64 to 48
bytes and removes 240 bytes from struct sta_info.
Signed-off-by: Jouni Malinen <j@w1.fi>
This function has been used only within beacon.c and it got accidentally
converted to a global function.
Fixes: 6b5e00a80e ("AP: Use a struct for Probe Response generation in/out params")
Signed-off-by: Jouni Malinen <j@w1.fi>
Replace the fixed length maximum buffer size for STA profile with
dynamically allocated buffers for active links. This reduces struct
mld_link_info size by almost 16 kB and drops the per-STA information in
struct sta_info to a more reasonable size to avoid the almost 10x
increase from MLO support.
In addition, free the resp_sta_profile buffers as soon as the ML element
has bee generated for (Re)Association Response frame since those buffers
are not needed after that.
Signed-off-by: Jouni Malinen <j@w1.fi>
The singleton RADIUS client design did not address the deinit path
properly. Since hapd->radius could be shared with another links, the
pointer on all those other links needs to be cleared before freeing the
RADIUS client context. Without this, deinit path could have ended trying
to use freed memory when clearing STA entries from other links and
trying to flush any pending RADIUS client messages.
Fixes: a213fee11d ("AP: MLO: Make IEEE 802.1X SM, authserv, and RADIUS client singletons")
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow the Timeout Interval Type field in the Timeout Interval element to
be overridden with a different value for testing purposes to be able to
bypass the association comeback processing in mac80211. This allows the
wpa_supplicant internal functionality to be tested.
Signed-off-by: Jouni Malinen <j@w1.fi>
- CMAC and GMAC modes
- 128-bit and 256-bit modes
- normal BIP and BIP using BCE
- test vectors with minimum and optional additional header elements in
S1G beacon frames
- S1G Beacon Compatibility element in some cases, no other beacon body
components
Signed-off-by: Henry Ptasinski <henry@e78com.com>
Signed-off-by: Andrew Pope <andrew.pope@morsemicro.com>
Signed-off-by: David Goodall <dave@morsemicro.com>
hostapd reads the list of Rx Key Holders from hostapd.conf file.
However, for systems where topology changes dynamically, the update
of RxKHs list is required without reloading the whole configuration.
Introduce a new source of RxKH definition with original syntax:
- rxkh_file - Path to a file containing a list of RxKHs.
In addition, add a control interface command RELOAD_RXKHS to
reload RxKHs definition from the file specified in `rxkh_file`.
This allows hostapd to properly distribute Rx keys even after topology
change (assuming rxkh_file is updated and reload_rxkhs command issued).
Syntax of rxkh_file is the same as extraction of r0kh and r1kh options
from original hostapd.conf file.
```
r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
r0kh=ff:ff:ff:ff:ff:ff * 00112233445566778899aabbccddeeff
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 00112233445566778899aabbccddeef
```
Signed-off-by: Dariusz Kopka <dariusz@plume.com>
Smartcard support uses the ENGINE API of OpenSSL, which has been
deprecated as of OpenSSL 3. Rather than migrating the code to the new API
or pretending that we do not support OpenSSL 3, accept that we use
deprecated functionality.
Signed-off-by: Jouke Witteveen <j.witteveen@gmail.com>
NL80211_WPA_VERSION_3 was only added in kernel 5.2 so it should not be
set for older kernel versions. There is no direct way to check if the
value is supported. However, we can use the new infrastructure to check
whether the kernel has the NL80211_ATTR_SAE_PASSWORD attribute. It is
related and was added at the same time.
Fixes: 6cc78b3945 ("nl80211: Set NL80211_WPA_VERSION_2 vs. _3 based on AKM")
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Now that we have a more advanced check for the differences within the
Key Data field, nonzero Key Data Length case can be determined to be
EAPOL-Key msg 4/4 if there is no RSNE in the Key Data field.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow the Key Data field to be encrypted in EAPOL-Key msg 2/4 and 4/4.
This is for testing purposes to enable a convenient mechanism for
testing Authenticator behavior with either potential future extensions
or unexpected Supplicant behavior.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Extend RSN authenticator to be able to process EAPOL-Key msg 2/4 and 4/4
messages in cases where the Key Data field is encrypted using AES key
wrapping (i.e., non-AEAD cipher). While there is not yet any defined
case where such encryption would be used in IEEE Std 802.11-2020,
extensions are considered to be added to use such constructions (e.g.,
in IEEE P802.11bh). As such, it is good to extend the parsing and
processing rules in the authenticator to be ready for such
functionality.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow additional elements and KDEs to be added to EAPOL-Key msg 2/4 and
4/4. This is for testing purposes to enable a convenient mechanism for
testing Authenticator behavior with either potential future extensions or
incorrect Supplicant behavior.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
The initial Authenticator implementation depended on the Key Data field
being empty for EAPOL-Key msg 4/4. This worked fine for years in
practice, but in theory, vendor specific elements or KDEs could have
been added inti EAPOL-Key msg 4/4 and that would have broken this
design. In addition, the MLD case did introduce a KDE into EAPOL-Key msg
4/4 and required changes here.
As an initial step to make this more robust for future extensions,
recognize a received EAPOL-Key message as msg 4/4 if it is for RSN
(i.e., not WPAv1), has Secure=1, contains an unencrypted Key Data field,
and does not include RSNE.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow additional elements and KDEs to be added to EAPOL-Key msg 1/4 and
3/4 and allow EAPOL-Key msg 3/4 Key Data field to be not encrypted.
These are for testing purposes to enable a convenient mechanism for
testing supplicant behavior with either potential future extensions or
incorrect Authenticator behavior.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Handle the center frequency to channel mapping more cleanly by skipping
the cases where the center frequencies are not set and verifying that
the mapping succeeds when they are set.
Signed-off-by: Jouni Malinen <j@w1.fi>
seg0 and seg1 variables can have any initial value, but they may cause
the BSS to have a wrong configuration later on in cases where the
separate center frequencies are not set.
Signed-off-by: Baligh Gasmi <gasmibal@gmail.com>
When p2p->state == P2P_LISTEN_ONLY, the statement before it
'p2p->cfg->is_p2p_in_progress(p2p->cfg->cb_ctx)' will be true, too, so
this function will print a message "Operation in progress" and return;
the workaround to handle listen failure will be never reached.
I met such an error when the 'remain-on-channel' command failed, then
the function p2p_ext_listen_timeout() just printed 'Operation in
progress' again and again, and the listen operation was not started
anymore.
Fixes: 0f1034e388 ("P2P: Refrain from performing extended listen during P2P connection")
Signed-off-by: zhuhai <zhuhai.mail@163.com>
There are multiple redundant MIN macro declarations, some of which are
not protecting against side effects. Move it to common.h instead.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
The kernel will reject commands if newer attributes are included even
though they should not be. Add appropriate checks in set_ap().
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Older kernel versions may not support all attributes and may refuse
commands that include them. To avoid sending too new attributes query
the highest supported attribute. This allows adding appropriate checks
where needed.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Previously, we would only pass the event to the first interface that
matches. However, one wiphy can have multiple interfaces and each one
needs to get the event delivered. Without this, it could e.g. happen
that a radar detection event is forwarded to p2p-dev-wlan0 and not to
the wlan0 interface which actually needs it.
As such, keep iterating if we are processing a wiphy match and send the
event to all affected BSSs.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
The dpp_test DPP_TEST_STOP_AT_AUTH_CONF case is supposed to prevent the
GAS exchange from happening. It was possible to bypass that testing
functionality if the TX status event for the Authentication Confirm
message was lost or delayed long enough for the GAS Request to be
proessed first. This could happen at least with UML time travel.
Work around this by checking for the special dpp_test case within GAS
request handling.
Signed-off-by: Jouni Malinen <j@w1.fi>
This was done with spatch using the following semantic patch and minor
manual edits to clean up coding style and avoid compiler warnings in
driver_wext.c:
@@
expression a,b;
@@
- os_memcmp(a, b, ETH_ALEN) == 0
+ ether_addr_equal(a, b)
@@
expression a,b;
@@
- os_memcmp(a, b, ETH_ALEN) != 0
+ !ether_addr_equal(a, b)
@@
expression a,b;
@@
- !os_memcmp(a, b, ETH_ALEN)
+ ether_addr_equal(a, b)
Signed-off-by: Jouni Malinen <j@w1.fi>
Missing array referencing ended up only the first entry in the list to
be compared.
Fixes: 31fcea931d ("WPS 2.0: Add support for AuthorizedMACs attribute")
Signed-off-by: Jouni Malinen <j@w1.fi>
This makes a code more readable for the large number of cases that use
os_memcmp() to check whether two ethernet addresses are equal.
Signed-off-by: Jouni Malinen <j@w1.fi>
If CONFIG_FILS isn't set, the compiler complains about unused variables.
Fix it.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Fix commit 5545d995b3 which could use undefined symbol
testing_fail_alloc() in os_malloc() if CONFIG_WPA_TRACE=y is used
without CONFIG_WPA_TRACE_BFD=y.
Fixes: 5545d995b3 ("trace: Share common implementation for TEST_FAIL and TEST_ALLOC_FAIL")
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
The AP MLD MAC address is meant to be preserved here, but since it's
reset to zeroes before attempting to authenticate in
nl80211_mark_disconnected(), we can't just point to the AP MLD MAC
address in drv->auth_ap_mld_addr. Fix it by using a copy.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
When a station tries to authenticate to an AP that is affiliated with an
AP MLD, we need to remove all station instances from all the APs.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
If the station is not an MLO station do not attempt to find the
association station and return false in the ML specific disconnection
processing.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
This avoids unnecessary code duplication and adds the sta->wpa_sm deinit
calls for deauthentication while it was previously done only in the
disassociation case.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Set the current value instead of hardcoded 1.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
cfg80211 requires the link ID to be specified for requests to start a
remain-on-channel operation during an ML association. This feels wrong
since the ROC operation is in most cases unrelated to the
association. However, that requirement has been in place since kernel
commit 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link
APIs") from April 2022, and as such, it looks necessary to have
wpa_supplicant work around this by specifying the currently used link ID
that would seem to match the ROC channel most closely.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Commit 31e025c033 ("AP: When sending Action frames, use the AP MLD MAC
address if needed") added this for hostapd_drv_send_action(), but the
A3=BSSID variant of that function needs similar changes for GAS to work
correctly with STAs that are currently associated with MLO.
Signed-off-by: Jouni Malinen <j@w1.fi>
Invert the check on hapd->conf->mld_ap on the affiliated links to
actually call the link specific callback handler. This is needed to set
the STA associated.
Fixes: 55038680a6 ("AP: MLO: Handle association callback")
Signed-off-by: Jouni Malinen <j@w1.fi>
This is needed to allow RSN operations, like PTK rekeying, to be
completed on the correct STA entry. The previous design worked by
accident since it was using the WLAN_STA_ASSOC flag and the code that
was supposed to set that flag did not work correctly and left it unset
for the interfaces that were not used for the initial 4-way handshake.
That needs to be fixed, so this search need to be extended to be able to
prefer the STA entry that has sta->wpa_sm set instead of just the
WLAN_STA_ASSOC flag.
Signed-off-by: Jouni Malinen <j@w1.fi>
The change to use a helper function for checking he_6ghz_reg_pwr_type
missed the difference between two types of checks for different values:
indoor AP vs. SP AP. Fix this by introducing another helper function to
cover the indoor (i.e., SP and non-SP indoor cases).
Fixes: 121ccadeb4 ("AP: A helper function for determining whether the AP is an SP AP")
Signed-off-by: Jouni Malinen <j@w1.fi>
There are bandwidth 320 MHz-1 and 320 MHz-2 channelization in EHT mode.
When using ACS, user might prefer one of the channelization or both, but
original ACS was unable to take such preference.
Another problem is that the original ACS returns only the ideal channel
but no 320 MHz channelization. The function acs_get_bw_center_chan()
also could not correctly return the center frequency of bandwidth 320
MHz that is decided by ACS.
For example, if ACS decide the ideal channel is channel 37 with
channelization 320 MHz-2 (center frequency 6265 MHz),
acs_get_bw_center_chan() returns 6105 MHz, which is 320 MHz-1.
Extend the support for 320 MHz so that ACS can choose the best channel
according to the user's preference. Also, after calling
acs_find_ideal_chan_mode(), the best channel and bandwidth can be
derived.
The changes are:
- bw_type ACS_BW320 is divided into ACS_BW320_1 and ACS_BW320_2
- in bandwidth 320 MHz, find the best channel and bandwidth according to
user's perference (320 MHz-1, 320 Mhz-2 or both are OK)
- before acs_find_ideal_chan_mode() returns, update bw320_offset in
iface->conf so that the best channel's channelization is recorded.
- get the best center frequency from bw320_offset
Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
Introduce a new configuration option, "eht_bw320_offset", which enables
devices to specify a preferred channelization for 320 MHz BSSs when
using automatic channel selection (ACS). This option is applicable only
when the channel is not already decided and the bandwidth is set to 320
MHz.
The value and meaning of the option:
0: auto-detected by ACS
1: 320 MHz-1
2: 320 MHz-2
Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
Fix the following bugs about selecting the best channels in the segment:
1. If the 'update_best' once became false, it never becomes true again.
In other word, if one of the channels in the segment is not usable,
the remaining channels in the segment were never able to be the best
channel.
2. The primary channel in the segment might not be usable due to the
insufficient survey data. Therefore, it cannot be the best channel and
we cannot take its factor/weight into account.
Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
Allow ACS to pick a HT40- channel in the 2.4 GHz band in addition to the
previously hardcoded HT40+ case.
Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
This allows the function to be used outside the context of the
wpa_supplicant control interface implementation.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
Previously only the SHA-1 -based AKM was supported. Extend that to cover
all PSK AKMs so that the PSK configuration to the driver happens for all
the possible cases during AP start.
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
If the regulatory client EIRP PSD values advertised by an AP that is a
standard power AP or indoor standard power AP are insufficient to ensure
that regulatory client limits on total EIRP are always met for all
transmission bandwidths within the bandwidth of the AP’s BSS, the AP
shall also send a TPE element in Beacon and Probe Response frames as
that depicts the regulatory client EIRP limit.
Add support for this.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
According to IEEE P802.11-REVme/D4.0, E.2.7 (6 GHz band), two Transmit
Power Envelope (TPE) elements need to be included by Indoor Standard
Power (Indoor SP) APs. Extend the code to support this.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
According to IEEE P802.11-REVme/D4.0, 9.4.2.169.2 (Neighbor AP
Information field), the 20 MHz PSD subfield in the TBTT Information
field is a signed value with valid range of -127 to +126, while +127
indicates "no maximum transmit power is specified". Fix the default
value advertised.
Fixes: 3db24e4eef ("RNR: Define element format")
Fixes: a7c152d6b8 ("RNR: Add data from neighbor database")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add configuration options for setting the Tx Power value
in the Transmit Power Envelope for 6 GHz:
- The Tx power value for default client where the transmit
power interpretation is "Regulatory Client EIRP PSD"
- The Tx power value for subordinate client where the transmit
power interpretation is "Regulatory Client EIRP PSD"
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Update the HE regulatory information AP types based on IEEE
P802.11-REVme/D4.0. Set the default AP type to VLP. Check for valid
values when setting 'he_6ghz_reg_pwr_type' in the interface
configuration.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
In cases of SAE failure and testing, mgmt->sa was used for sending the
Authentication frame. Fix these to use the station address (which is
the MLD MAC address in cases of non-AP MLDs).
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Add a testing configuration such that the AP would be reported as
disabled in the RNR TBTT information MLD parameters included by other
affiliated APs of the AP MLD.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
An affiliated AP of an AP MLD can temporarily be disabled. Other
affiliated APs of the AP MLD indicate this in the Reduced Neighbor
Report (RNR) elements added to their Beacon and Probe Response frames.
When an affiliated AP is disabled, it should be included in the
association exchange, but can be activated only after it is enabled.
Add support identifying disabled APs and propagate the information
to the driver within the associate() callback.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Add support for overriding EHT Operation element puncturing mask
for testing purposes.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
STA EHT MCS and NSS set field size shouldn't depend on AP HE operation
channel width. Fix it.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
If the interface initialization fails, no links might be set when
calling the deinit functions. Those functions need to be prepared for
bss->n_links being 0.
Fixes: 859cbc396f ("nl80211: Remove links when stopping AP MLD in hostapd")
Signed-off-by: Jouni Malinen <j@w1.fi>
If the interface initialization fails, no links might be set when
calling the deinit functions. Those functions need to be prepared for
bss->flink being NULL.
Fixes: 47269be36e ("nl80211: Refactor i802_bss to support multiple links")
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a vendor attribute for EHT testbed STA to configure the
SCS traffic description support in the EHT capabilities of an
Association Request frame.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is an event indicating to the user space firmware page fault
summary report that the driver has generated from firmware indications.
This summary report is used to analyze major cause of page faults and
associated debug information.
Signed-off-by: Mukul Sharma <quic_mukul@quicinc.com>
Reorder the Element ID List to fill in the values in increasing order to
match the way the Element ID List is defined.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Currently while deciding to create a new Multiple BSSID element based on
the condition when the length reaches 255, the length value being used
is the total element length (including the length of the Element ID and
Length fields as well). However, the value in the length field denotes
the number of octets following it and excluding itself. Hence including
the total length is wrong. This leads to incorrect count of Multiple
BSSID elements.
And while filling the data, the length is considered porperly as it
should be hence we are filling more data in a single go and all data is
filled in MBSSID count which is less than originally calculated. This
ultimately leads to incorrect length calculation during nla_put() and
setting the beacon to the driver fails while putting the Multiple BSSID
element data into the netlink socket buffer.
Fix this issue by considering the length excluding the Element ID and
Length field sizes.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Share VLAN info in RRB when the driver advertises support for VLAN
offload (WPA_DRIVER_FLAGS_VLAN_OFFLOAD). sta->vlan_desc is unused in
this case, only sta->vlan_id is used. Skip the checks that are based on
sta->vlan_desc.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
This helper is of no real use anymore, so get rid of it. This completes
send_and_recv*() cleanup. What remains is the most generic
send_and_recv() and two wrappers for it to cover the most common simpler
cases.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is a variant for the second most common case of send_and_recv() needs:
send a command with a special response handling.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is a variant for the most common case of send_and_recv() needs:
send a command without needing a special response handling. In addition,
move the helper functions into driver_nl80211.h since these are now
simple wrappers for the more flexible send_and_recv().
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is not really that helpful as a separate helper function, so get
rid of one of the many send_and_recv() variants.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is not helpful as a separate helper function anymore, so get rid of
one of the many send_and_recv() variants.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is independent of the NL80211_ATTR_SOCKET_OWNER use, so add these
attributes from a separate helper function that is called only from
locations that actually start an operation that uses EAPOL frames.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Doing this based on driver support for control port RX or SAE seems like
undesired extra complexity. Just use this in all cases where the special
handle for a longer term operation, like connection or AP mode
operation, is needed.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is a step towards cleaning up all the workarounds that have showed
up over the years and made the design difficult to understand. This
removes use of the separate registration of process_bss_event() as
NL_CB_VALID for the individual commands since the use of the appropriate
cb (i.e., the one from nl80211_init_bss() in these cases) will already
point to the correct handler.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This is a workaround for some race conditions where the hardcoded use of
global->nl_cb in send_and_recv() ends up getting events delivered
through unexpected context when they happen to arrive at the time when a
command is being processed.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Avoid potential read of one or two octets beyond the end of the
subelement when verifying that there is sufficient amount of data
included in each subelement/element within the MLE in Association
Request frames.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of rejecting the Multi-Link element, skip unknown subelements to
be less likely to cause interop issues for future. IEEE P802.11be/D5.0
allows other optional subelements to be included here.
Signed-off-by: Jouni Malinen <j@w1.fi>
This function is both updating the hostapd-internal sta->flags value and
sending out the AP-STA-CONNECTED control interface message. When
authorizing a STA, the call to this function is followed by a driver
command to update the flags of the STA entry in the driver. That has a
race condition at least for UML time-travel since the AP-STA-CONNECTED
event is used as a message to wait for before running a connectivity
test or some other operation that depends on the data connection being
in working condition.
Split the function into two steps so that the driver STA entry update
can be done between those two steps for the cases where it matters for
the race condition. In other words, send the AP-STA-CONNECTED message
only after having authorized the STA in the driver.
Signed-off-by: Jouni Malinen <j@w1.fi>
The check for extra data was not dereferencing the pointer, but avoid
complaints about such uses by freeing the decrypted data only after the
check. The hexdump could have read freed memory, so that needs to be
before the freeing.
Fixes: 54ac6ff8c4 ("PKCS 1: Add function for checking v1.5 RSA signature")
Signed-off-by: Jouni Malinen <j@w1.fi>
Even though this function is documented to always return 1, be more
consistent in checking that to avoid warnings from static analyzers.
Signed-off-by: Jouni Malinen <j@w1.fi>
This memcpy was causing warnings from static analyzers since it is being
misinterpreted as copying all the data into the lnkid.bssid[] array
instead of that and the following arrays. Since the copy is not needed
at all, just use the original pointer to get rid of these warnings.
Signed-off-by: Jouni Malinen <j@w1.fi>
Verify that sta is not NULL before calling
hostapd_process_assoc_ml_info() that references this parameter. In
theory, sta might be NULL here if addition of the STA entry failed in
the 60 GHz case.
Signed-off-by: Jouni Malinen <j@w1.fi>
This line seemed to trigger SIGSEGV in some code coverage testing cases.
It is not exactly clear how that was possible, but just in case, check
that iface->current_mode is set before using it here.
Signed-off-by: Jouni Malinen <j@w1.fi>
If the BSS TM Request for imminent BSS temoval is for a non-AP MLD that
has multiple affiliated links, do not schedule full disconnection since
other links remain associated.
Signed-off-by: Jouni Malinen <j@w1.fi>
Allow link removal imminent indication to be added with the new
link_removal_imminent=1 parameter to BSS_TM_REQ.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Based on IEEE P802.11be/D5.0, when a station is non-AP MLD with more
than one link the combination of the Link Removal Imminent field set to
1 and the BSS Termination Included field set to 1 means than only one of
the links is removed while the other links will remains associated.
Handle this case without starting a scan to find another BSS.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
When the AP MLD sends an Action frame to a non-AP MLD, use the AP MLD
MAC address instead of the local AP address (BSSID).
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
When the AP is configured to operate as an AP MLD, use the AP MLD MAC
address when needed for transmission of WNM Action frames.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
If ioctl() returns EBUSY on the command SIOCBRADDIF, the interface might
have already been added to the bridge by an external operation (e.g.,
netifd in OpenWrt), and linux_br_add_if() should not indicate an error.
Check whether the interface is correctly brigded when ioctl()
returns EBUSY and if so, report success.
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
Remove a spurious \tab char in hostapd_eid_rnr() between arguments to a
function.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case the TBTT information is reporting about an AP in the same AP MLD
as the current AP, the AP MLD ID in the MLD Parameters subfield should
be set to 0.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Link ID needs to be specified for MLD case when doing channel switch.
Add it to the driver command.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
There are different CHAN_SWITCH flows for DFS and non-DFS channels.
Non-DFS one saves previous BW value in iface->conf, but DFS flow
replaces it with a new user requested value. Setting a non-DFS channel
after a DFS one with BW = 160 would have resulted in a mismatch between
the saved BW and vht_capab (if VHT160 was not included by default). This
would have led to a check fail in the hostapd_set_freq_params()
function.
Signed-off-by: Dmitrijs Martinovs <dmartinovs@maxlinear.com>
It is possible for the start_listen() callback to be called to request
the driver to start a driver operation and stop_listen() called
immediately after that (e.g., due to a request to transmit a P2P Public
Action frame) before the driver has had time to start ROC and send an
event to notify of that. Such a sequence could result in
p2p->pending_listen_freq being left to a nonzero value without getting a
call to p2p_listen_cb() to clear it. This would stop an ongoing P2P
listen operation since no following p2p_listen() call would start the
listen due to the pending command being assumed to be in effect.
Fix this by detecting this particular sequence and clearing
p2p->pending_listen_freq.
This was found with the p2p_listen_and_offchannel_tx test case with the
new kernel scheduled and UML time-travel.
Signed-off-by: Jouni Malinen <j@w1.fi>
With changes to optimize scan for specific BSSID, there arises a
scenario where in nl80211_trigger_scan() is called with a scan
randomization enabled. A combination of NL80211_ATTR_MAC for BSSID and
scan randomization, which uses NL80211_ATTR_MAC for a different purpose,
results in invalid error for the scan request. To fix the issue use
attribute NL80211_ATTR_BSSID instead of NL80211_ATTR_MAC.
NL80211_ATTR_BSSID was introduced in kernel commit 2fa436b3a2a7
("nl80211: Use different attrs for BSSID and random MAC addr in scan
req") in 2016. Prior to that, only NL80211_ATTR_MAC could be used for
specifying the target BSSID. For backwards compatibility, add the
NL80211_ATTR_MAC attribute as well when not using a random MAC address.
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
The underlying driver can reject only specific links in an association
request. In that case we will only ignore the corresponding BSS. Add a
test for this flow by simulating an association failure on the second
link specifically.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>