Commit graph

9566 commits

Author SHA1 Message Date
Jouni Malinen
f7a903654f Extend mechanism to distinguish EAPOL-Key msg 2/4 from 4/4
The initial Authenticator implementation depended on the Key Data field
being empty for EAPOL-Key msg 4/4. This worked fine for years in
practice, but in theory, vendor specific elements or KDEs could have
been added inti EAPOL-Key msg 4/4 and that would have broken this
design. In addition, the MLD case did introduce a KDE into EAPOL-Key msg
4/4 and required changes here.

As an initial step to make this more robust for future extensions,
recognize a received EAPOL-Key message as msg 4/4 if it is for RSN
(i.e., not WPAv1), has Secure=1, contains an unencrypted Key Data field,
and does not include RSNE.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-16 15:52:34 +02:00
Jouni Malinen
3547ed403d Authenticator side testing functionality for EAPOL-Key Key Data field
Allow additional elements and KDEs to be added to EAPOL-Key msg 1/4 and
3/4 and allow EAPOL-Key msg 3/4 Key Data field to be not encrypted.
These are for testing purposes to enable a convenient mechanism for
testing supplicant behavior with either potential future extensions or
incorrect Authenticator behavior.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-16 13:04:59 +02:00
Jouni Malinen
38719f113e Verify center frequency seg0/seg1 mapping result before use
Handle the center frequency to channel mapping more cleanly by skipping
the cases where the center frequencies are not set and verifying that
the mapping succeeds when they are set.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-14 21:14:42 +02:00
Baligh Gasmi
acea0654f0 Initialize the variables before using it in channel update
seg0 and seg1 variables can have any initial value, but they may cause
the BSS to have a wrong configuration later on in cases where the
separate center frequencies are not set.

Signed-off-by: Baligh Gasmi <gasmibal@gmail.com>
2024-01-14 21:13:24 +02:00
朱海
af6e21faa0 P2P: Fix a logical error of workaround of extended listen failure
When p2p->state == P2P_LISTEN_ONLY, the statement before it
'p2p->cfg->is_p2p_in_progress(p2p->cfg->cb_ctx)' will be true, too, so
this function will print a message "Operation in progress" and return;
the workaround to handle listen failure will be never reached.

I met such an error when the 'remain-on-channel' command failed, then
the function p2p_ext_listen_timeout() just printed 'Operation in
progress' again and again, and the listen operation was not started
anymore.

Fixes: 0f1034e388 ("P2P: Refrain from performing extended listen during P2P connection")
Signed-off-by: zhuhai <zhuhai.mail@163.com>
2024-01-14 21:13:24 +02:00
Andrei Otcheretianski
abc239a0b0 Get rid of multiple MIN macros
There are multiple redundant MIN macro declarations, some of which are
not protecting against side effects. Move it to common.h instead.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-14 20:13:20 +02:00
Jouni Malinen
12cdeb5016 nl80211: Print driver name in debug output
This can be helpful in debugging some driver specific issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-14 17:32:22 +02:00
Jouni Malinen
197b440c49 nl80211: Print kernel version in debug output
This can be helpful in debugging some kernel specific issues.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-14 17:18:57 +02:00
Benjamin Berg
5ae010aae5 nl80211: Avoid sending unsupported attributes
The kernel will reject commands if newer attributes are included even
though they should not be. Add appropriate checks in set_ap().

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-01-14 17:13:37 +02:00
Benjamin Berg
7fec9e7bc1 nl80211: Retrieve maxattr via genl for nl80211
Older kernel versions may not support all attributes and may refuse
commands that include them. To avoid sending too new attributes query
the highest supported attribute. This allows adding appropriate checks
where needed.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-01-14 17:11:24 +02:00
Benjamin Berg
f136837202 nl80211: Pass wiphy events to all affected interfaces
Previously, we would only pass the event to the first interface that
matches. However, one wiphy can have multiple interfaces and each one
needs to get the event delivered. Without this, it could e.g. happen
that a radar detection event is forwarded to p2p-dev-wlan0 and not to
the wlan0 interface which actually needs it.

As such, keep iterating if we are processing a wiphy match and send the
event to all affected BSSs.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-01-14 17:03:06 +02:00
Jouni Malinen
f9b3ecb0ad DPP: Work arouind missing Auth Confirm ACK for testing
The dpp_test DPP_TEST_STOP_AT_AUTH_CONF case is supposed to prevent the
GAS exchange from happening. It was possible to bypass that testing
functionality if the TX status event for the Authentication Confirm
message was lost or delayed long enough for the GAS Request to be
proessed first. This could happen at least with UML time travel.

Work around this by checking for the special dpp_test case within GAS
request handling.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-14 12:10:04 +02:00
Jouni Malinen
2d83d224ff Use ether_addr_equal() to compare whether two MAC addresses are equal
This was done with spatch using the following semantic patch and minor
manual edits to clean up coding style and avoid compiler warnings in
driver_wext.c:

@@
expression a,b;
@@
-	os_memcmp(a, b, ETH_ALEN) == 0
+	ether_addr_equal(a, b)

@@
expression a,b;
@@
-	os_memcmp(a, b, ETH_ALEN) != 0
+	!ether_addr_equal(a, b)

@@
expression a,b;
@@
-	!os_memcmp(a, b, ETH_ALEN)
+	ether_addr_equal(a, b)

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 23:47:21 +02:00
Jouni Malinen
58027cfecc WPS: Fix authorized MAC removal
Missing array referencing ended up only the first entry in the list to
be compared.

Fixes: 31fcea931d ("WPS 2.0: Add support for AuthorizedMACs attribute")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 23:47:20 +02:00
Jouni Malinen
95123ab3b3 Introduce ether_addr_equal()
This makes a code more readable for the large number of cases that use
os_memcmp() to check whether two ethernet addresses are equal.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 23:47:20 +02:00
Andrei Otcheretianski
76616a46b9 RSN: Fix (B)IGTK MLO KDE length print
Array pointer was mistakenly printed instead of actual length.
Fix it.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-13 23:47:20 +02:00
Andrei Otcheretianski
8e8964cdbd AP: Fix compilation warning in hapd_pasn_update_params()
If CONFIG_FILS isn't set, the compiler complains about unused variables.
Fix it.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-13 23:47:20 +02:00
Jintao Lin
628f286102 trace: Fix compilation issue due to using an undefined symbol
Fix commit 5545d995b3 which could use undefined symbol
testing_fail_alloc() in os_malloc() if CONFIG_WPA_TRACE=y is used
without CONFIG_WPA_TRACE_BFD=y.

Fixes: 5545d995b3 ("trace: Share common implementation for TEST_FAIL and TEST_ALLOC_FAIL")
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
2024-01-13 23:47:20 +02:00
Ilan Peer
cbcd056ece AP: Fix a typo in function name
Rename hostpad_dfs_update_background_chain() to
hostapd_dfs_update_background_chain().

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-13 23:47:20 +02:00
Johannes Berg
f40a588335 nl80211: Fix AP MLD MAC address on auth retry
The AP MLD MAC address is meant to be preserved here, but since it's
reset to zeroes before attempting to authenticate in
nl80211_mark_disconnected(), we can't just point to the AP MLD MAC
address in drv->auth_ap_mld_addr. Fix it by using a copy.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2024-01-13 22:33:22 +02:00
Ilan Peer
38711a011f AP MLD: Remove link stations on a new station authentication
When a station tries to authenticate to an AP that is affiliated with an
AP MLD, we need to remove all station instances from all the APs.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-13 22:29:21 +02:00
Ilan Peer
c6f519ff15 AP: Support deauthenticate/disassociate with MLD
When requested to deauthenticate/disassociate a station also handle the
corresponding MLD stations.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-13 22:29:19 +02:00
Ilan Peer
9c937c8891 AP: Move hostapd_ml_get_assoc_sta() to shared
So it could be used from different contexts.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-13 22:20:30 +02:00
Ilan Peer
ea401c168e AP MLD: Fix station lookup in hostapd_ml_get_assoc_sta()
If the station is not an MLO station do not attempt to find the
association station and return false in the ML specific disconnection
processing.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-13 22:17:21 +02:00
Ilan Peer
e9f75a3520 AP: Unify code handling deauthentication/disassociation
This avoids unnecessary code duplication and adds the sta->wpa_sm deinit
calls for deauthentication while it was previously done only in the
disassociation case.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2024-01-13 22:14:17 +02:00
Ilan Peer
2112f0572f AP MLD: Correctly set the BSS parameters change count in RNR
Set the current value instead of hardcoded 1.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2024-01-13 19:44:05 +02:00
Hu Wang
0120d052d7 nl80211: Add NL80211_ATTR_MLO_LINK_ID for NL80211_CMD_REMAIN_ON_CHANNEL
cfg80211 requires the link ID to be specified for requests to start a
remain-on-channel operation during an ML association. This feels wrong
since the ROC operation is in most cases unrelated to the
association. However, that requirement has been in place since kernel
commit 7b0a0e3c3a88 ("wifi: cfg80211: do some rework towards MLO link
APIs") from April 2022, and as such, it looks necessary to have
wpa_supplicant work around this by specifying the currently used link ID
that would seem to match the ROC channel most closely.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-01-13 19:39:03 +02:00
Jouni Malinen
6ea81f3238 nl80211: More detailed debug print for Management frame TX
Print all three addresses to make it easier to debug issues with
Management frame sending.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 19:09:31 +02:00
Jouni Malinen
9ccfc0d516 AP MLD: MLD address conversion for hostapd_drv_send_action_addr3_ap()
Commit 31e025c033 ("AP: When sending Action frames, use the AP MLD MAC
address if needed") added this for hostapd_drv_send_action(), but the
A3=BSSID variant of that function needs similar changes for GAS to work
correctly with STAs that are currently associated with MLO.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 19:09:31 +02:00
Jouni Malinen
febb51bf87 AP MLD: Fix Association Response frame ACK handling
Invert the check on hapd->conf->mld_ap on the affiliated links to
actually call the link specific callback handler. This is needed to set
the STA associated.

Fixes: 55038680a6 ("AP: MLO: Handle association callback")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 19:09:31 +02:00
Jouni Malinen
07f44a7c42 AP MLD: Prefer STA entry that has sta->wpa_sm initialized
This is needed to allow RSN operations, like PTK rekeying, to be
completed on the correct STA entry. The previous design worked by
accident since it was using the WLAN_STA_ASSOC flag and the code that
was supposed to set that flag did not work correctly and left it unset
for the interfaces that were not used for the initial 4-way handshake.
That needs to be fixed, so this search need to be extended to be able to
prefer the STA entry that has sta->wpa_sm set instead of just the
WLAN_STA_ASSOC flag.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-13 19:09:31 +02:00
Nirav Shah
0aeeaaaf13 Add QCA vendor command for flow policy configuration
Define subcmd ID 239 for flow policy configuration.

Signed-off-by: Nirav Shah <quic_nnshah@quicinc.com>
2024-01-12 19:25:05 +02:00
Jouni Malinen
064c233d1e AP: Fix a regression in indoor 6 GHz AP determination
The change to use a helper function for checking he_6ghz_reg_pwr_type
missed the difference between two types of checks for different values:
indoor AP vs. SP AP. Fix this by introducing another helper function to
cover the indoor (i.e., SP and non-SP indoor cases).

Fixes: 121ccadeb4 ("AP: A helper function for determining whether the AP is an SP AP")
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-01-04 11:04:20 +02:00
Michael-CY Lee
98f3bd26de ACS: Extend the 320 MHz support
There are bandwidth 320 MHz-1 and 320 MHz-2 channelization in EHT mode.
When using ACS, user might prefer one of the channelization or both, but
original ACS was unable to take such preference.

Another problem is that the original ACS returns only the ideal channel
but no 320 MHz channelization. The function acs_get_bw_center_chan()
also could not correctly return the center frequency of bandwidth 320
MHz that is decided by ACS.

For example, if ACS decide the ideal channel is channel 37 with
channelization 320 MHz-2 (center frequency 6265 MHz),
acs_get_bw_center_chan() returns 6105 MHz, which is 320 MHz-1.

Extend the support for 320 MHz so that ACS can choose the best channel
according to the user's preference. Also, after calling
acs_find_ideal_chan_mode(), the best channel and bandwidth can be
derived.

The changes are:
- bw_type ACS_BW320 is divided into ACS_BW320_1 and ACS_BW320_2
- in bandwidth 320 MHz, find the best channel and bandwidth according to
  user's perference (320 MHz-1, 320 Mhz-2 or both are OK)
- before acs_find_ideal_chan_mode() returns, update bw320_offset in
  iface->conf so that the best channel's channelization is recorded.
- get the best center frequency from bw320_offset

Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2023-12-23 16:38:06 +02:00
Michael-CY Lee
e6f2494c3a hostapd: Add eht_bw320_offset configuration option
Introduce a new configuration option, "eht_bw320_offset", which enables
devices to specify a preferred channelization for 320 MHz BSSs when
using automatic channel selection (ACS). This option is applicable only
when the channel is not already decided and the bandwidth is set to 320
MHz.

The value and meaning of the option:
0: auto-detected by ACS
1: 320 MHz-1
2: 320 MHz-2

Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2023-12-23 16:38:06 +02:00
Michael-CY Lee
733de85680 ACS: Fix not selecting the best channel in the segment
Fix the following bugs about selecting the best channels in the segment:
1. If the 'update_best' once became false, it never becomes true again.
   In other word, if one of the channels in the segment is not usable,
   the remaining channels in the segment were never able to be the best
   channel.
2. The primary channel in the segment might not be usable due to the
   insufficient survey data. Therefore, it cannot be the best channel and
   we cannot take its factor/weight into account.

Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2023-12-23 15:28:50 +02:00
Michael-CY Lee
4881accbb4 ACS: Add HT40- support in the 2.4 GHz band
Allow ACS to pick a HT40- channel in the 2.4 GHz band in addition to the
previously hardcoded HT40+ case.

Co-developed-by: Money Wang <money.wang@mediatek.com>
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2023-12-23 15:16:57 +02:00
Jintao Lin
0143cf42cd Move parse_freq() to be a common helper function
This allows the function to be used outside the context of the
wpa_supplicant control interface implementation.

Signed-off-by: Jintao Lin <jintaolin@chromium.org>
2023-12-23 11:59:19 +02:00
Vinayak Yadawad
b91113e05f Support all PSK AKMs in case of AP mode PSK offload
Previously only the SHA-1 -based AKM was supported. Extend that to cover
all PSK AKMs so that the PSK configuration to the driver happens for all
the possible cases during AP start.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2023-12-23 11:24:26 +02:00
Jouni Malinen
4efb0247a0 Update definitions to point to the current IEEE 802.11 standard
The previous references were to various snapshots of the standard and
draft versions.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-22 21:30:28 +02:00
Jouni Malinen
121ccadeb4 AP: A helper function for determining whether the AP is an SP AP
Get rid of unnecessary code duplication.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-22 20:57:53 +02:00
Jouni Malinen
24baffc8b6 AP: Share a common helper function for determining length of TPE elements
There is no need to maintain three copies of almost identical code.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-22 20:54:40 +02:00
Ilan Peer
150ee0c068 AP: Add an additional TPE element when needed
If the regulatory client EIRP PSD values advertised by an AP that is a
standard power AP or indoor standard power AP are insufficient to ensure
that regulatory client limits on total EIRP are always met for all
transmission bandwidths within the bandwidth of the AP’s BSS, the AP
shall also send a TPE element in Beacon and Probe Response frames as
that depicts the regulatory client EIRP limit.

Add support for this.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 20:43:27 +02:00
Ilan Peer
3cbb3ac3fa AP: Add TPE element for Indoor standard power AP
According to IEEE P802.11-REVme/D4.0, E.2.7 (6 GHz band), two Transmit
Power Envelope (TPE) elements need to be included by Indoor Standard
Power (Indoor SP) APs. Extend the code to support this.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 18:22:04 +02:00
Andrei Otcheretianski
bcad7fec65 AP: Publish the correct PSD value in RNR TBTT information field
According to IEEE P802.11-REVme/D4.0, 9.4.2.169.2 (Neighbor AP
Information field), the 20 MHz PSD subfield in the TBTT Information
field is a signed value with valid range of -127 to +126, while +127
indicates "no maximum transmit power is specified". Fix the default
value advertised.

Fixes: 3db24e4eef ("RNR: Define element format")
Fixes: a7c152d6b8 ("RNR: Add data from neighbor database")
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-22 18:20:28 +02:00
Ilan Peer
7065e5242a AP: Add configuration options for 6 GHz TPE Tx power
Add configuration options for setting the Tx Power value
in the Transmit Power Envelope for 6 GHz:

- The Tx power value for default client where the transmit
  power interpretation is "Regulatory Client EIRP PSD"
- The Tx power value for subordinate client where the transmit
  power interpretation is "Regulatory Client EIRP PSD"

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 18:06:49 +02:00
Ilan Peer
ada9083ac4 AP: Update the HE regulatory information AP types for the 6 GHz band
Update the HE regulatory information AP types based on IEEE
P802.11-REVme/D4.0. Set the default AP type to VLP. Check for valid
values when setting 'he_6ghz_reg_pwr_type' in the interface
configuration.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 17:57:26 +02:00
Ilan Peer
2d4f905214 RRM: Add support for including extended ID elements in beacon report
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 17:14:33 +02:00
Ilan Peer
615835626f AP: Use the MLD MAC address for SAE authentication failures and testing
In cases of SAE failure and testing, mgmt->sa was used for sending the
Authentication frame. Fix these to use the station address (which is
the MLD MAC address in cases of non-AP MLDs).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 16:47:48 +02:00
Jouni Malinen
4a973718d4 Split hostapd_eid_rnr_iface() into two functions
Make this a bit more readable by moving the per-BSS processing into a
helper function.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-22 16:17:20 +02:00
Ilan Peer
0b55b8da3c AP: Add testing option to indicate an AP is disabled
Add a testing configuration such that the AP would be reported as
disabled in the RNR TBTT information MLD parameters included by other
affiliated APs of the AP MLD.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 16:01:40 +02:00
Ilan Peer
2249b9f776 nl80211: Include disabled links indication in association command
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 15:58:12 +02:00
Ilan Peer
5927455b8b MLD: Add support for disabled APs
An affiliated AP of an AP MLD can temporarily be disabled. Other
affiliated APs of the AP MLD indicate this in the Reduced Neighbor
Report (RNR) elements added to their Beacon and Probe Response frames.

When an affiliated AP is disabled, it should be included in the
association exchange, but can be activated only after it is enabled.

Add support identifying disabled APs and propagate the information
to the driver within the associate() callback.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-22 15:56:41 +02:00
Ilan Peer
981e8c1e49 nl80211: Add link ID to the queue parameters configuration print
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-22 15:40:46 +02:00
Ilan Peer
409ebaaa1c AP: Support overriding EHT operation puncturing mask
Add support for overriding EHT Operation element puncturing mask
for testing purposes.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-22 14:19:28 +02:00
Andrei Otcheretianski
799115a8eb AP: Fix EHT MCS size validation for received element
STA EHT MCS and NSS set field size shouldn't depend on AP HE operation
channel width. Fix it.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-22 13:24:22 +02:00
Jouni Malinen
12a9574342 nl80211: Fix AP deinit path (link removal) in error cases
If the interface initialization fails, no links might be set when
calling the deinit functions. Those functions need to be prepared for
bss->n_links being 0.

Fixes: 859cbc396f ("nl80211: Remove links when stopping AP MLD in hostapd")
Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-22 11:13:28 +02:00
Jouni Malinen
6c3438eef6 nl80211: Fix AP deinit path in error cases
If the interface initialization fails, no links might be set when
calling the deinit functions. Those functions need to be prepared for
bss->flink being NULL.

Fixes: 47269be36e ("nl80211: Refactor i802_bss to support multiple links")
Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-22 11:13:25 +02:00
Gururaj Pandurangi
6b7bb10016 Add QCA vendor attribute for EHT SCS traffic description support
Add a vendor attribute for EHT testbed STA to configure the
SCS traffic description support in the EHT capabilities of an
Association Request frame.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-21 20:22:49 +02:00
mukul sharma
f8657ea031 Add QCA vendor command for reporting firmware page fault informatin
This is an event indicating to the user space firmware page fault
summary report that the driver has generated from firmware indications.
This summary report is used to analyze major cause of page faults and
associated debug information.

Signed-off-by: Mukul Sharma <quic_mukul@quicinc.com>
2023-12-21 20:18:44 +02:00
Shiva Sankar Gajula
ee00bbd297 Support VLAN offload with SAE password based selection
Allow VLAN selection based on SAE password entries when VLAN offloading
is used.

Signed-off-by: Shiva Sankar Gajula <quic_sgajula@quicinc.com>
2023-12-21 20:12:18 +02:00
Jouni Malinen
09d57e5f89 MBSSID: Element ID values in increasing order in Non-Inheritance element
Reorder the Element ID List to fill in the values in increasing order to
match the way the Element ID List is defined.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-21 13:22:03 +02:00
Aditya Kumar Singh
c8dd70cfb1 Fix Multiple BSSID element length calculation
Currently while deciding to create a new Multiple BSSID element based on
the condition when the length reaches 255, the length value being used
is the total element length (including the length of the Element ID and
Length fields as well). However, the value in the length field denotes
the number of octets following it and excluding itself. Hence including
the total length is wrong. This leads to incorrect count of Multiple
BSSID elements.

And while filling the data, the length is considered porperly as it
should be hence we are filling more data in a single go and all data is
filled in MBSSID count which is less than originally calculated. This
ultimately leads to incorrect length calculation during nla_put() and
setting the beacon to the driver fails while putting the Multiple BSSID
element data into the netlink socket buffer.

Fix this issue by considering the length excluding the Element ID and
Length field sizes.

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
2023-12-21 12:50:27 +02:00
Sai Pratyusha Magam
618df655ae Use sta->vlan_id when needed for VLAN offload
Share VLAN info in RRB when the driver advertises support for VLAN
offload (WPA_DRIVER_FLAGS_VLAN_OFFLOAD). sta->vlan_desc is unused in
this case, only sta->vlan_id is used. Skip the checks that are based on
sta->vlan_desc.

Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
2023-12-21 12:24:35 +02:00
Jouni Malinen
afd306cf79 nl80211: Remove send_and_recv_msgs()
This helper is of no real use anymore, so get rid of it. This completes
send_and_recv*() cleanup. What remains is the most generic
send_and_recv() and two wrappers for it to cover the most common simpler
cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-19 01:09:22 +02:00
Jouni Malinen
7c2f67cea2 nl80211: Add send_and_recv_resp() helper
This is a variant for the second most common case of send_and_recv() needs:
send a command with a special response handling.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-19 01:07:36 +02:00
Jouni Malinen
ab506d7772 nl80211: Add send_and_recv_cmd() helper
This is a variant for the most common case of send_and_recv() needs:
send a command without needing a special response handling. In addition,
move the helper functions into driver_nl80211.h since these are now
simple wrappers for the more flexible send_and_recv().

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-19 01:00:23 +02:00
Jouni Malinen
c73f9cde8b nl80211: Remove send_and_recv_msgs_connect_handle()
This is not really that helpful as a separate helper function, so get
rid of one of the many send_and_recv() variants.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-19 00:38:11 +02:00
Jouni Malinen
d2e6a395cc nl80211: Do not set socket owner for NL80211_CMD_LEAVE_IBSS
This operation terminates the IBSS and as such, does not really use
NL80211_ATTR_SOCKET_OWNER.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-19 00:28:30 +02:00
Jouni Malinen
35e58b7415 nl80211: Remove send_and_recv_msgs_owner()
This is not helpful as a separate helper function anymore, so get rid of
one of the many send_and_recv() variants.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-19 00:26:32 +02:00
Jouni Malinen
9823f43053 nl80211: Move control port attribute adding into more accurate location
This is independent of the NL80211_ATTR_SOCKET_OWNER use, so add these
attributes from a separate helper function that is called only from
locations that actually start an operation that uses EAPOL frames.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-19 00:20:16 +02:00
Jouni Malinen
0d619df8b3 nl80211: Use bss->nl_connect unconditionally
Doing this based on driver support for control port RX or SAE seems like
undesired extra complexity. Just use this in all cases where the special
handle for a longer term operation, like connection or AP mode
operation, is needed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-18 23:45:09 +02:00
Jouni Malinen
da0d51fee7 nl80211: Use socket cb instead of global->nl_cb in send_and_recv()
This is a step towards cleaning up all the workarounds that have showed
up over the years and made the design difficult to understand. This
removes use of the separate registration of process_bss_event() as
NL_CB_VALID for the individual commands since the use of the appropriate
cb (i.e., the one from nl80211_init_bss() in these cases) will already
point to the correct handler.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-18 21:41:32 +02:00
Jouni Malinen
84fdc8cd8b nl80211: Accept NL80211_CMD_FRAME events in global context
This is a workaround for some race conditions where the hardcoded use of
global->nl_cb in send_and_recv() ends up getting events delivered
through unexpected context when they happen to arrive at the time when a
command is being processed.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-18 21:08:26 +02:00
Jouni Malinen
828311ef31 AP MLD: More careful checking of Multi-Link element length fields
Avoid potential read of one or two octets beyond the end of the
subelement when verifying that there is sufficient amount of data
included in each subelement/element within the MLE in Association
Request frames.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 21:55:10 +02:00
Jouni Malinen
38a5ed5fda AP MLD: Skip unknown Multi-Link element subelements
Instead of rejecting the Multi-Link element, skip unknown subelements to
be less likely to cause interop issues for future. IEEE P802.11be/D5.0
allows other optional subelements to be included here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 21:53:52 +02:00
Jouni Malinen
2ab56694f6 Split ap_sta_set_authorized() into two steps
This function is both updating the hostapd-internal sta->flags value and
sending out the AP-STA-CONNECTED control interface message. When
authorizing a STA, the call to this function is followed by a driver
command to update the flags of the STA entry in the driver. That has a
race condition at least for UML time-travel since the AP-STA-CONNECTED
event is used as a message to wait for before running a connectivity
test or some other operation that depends on the data connection being
in working condition.

Split the function into two steps so that the driver STA entry update
can be done between those two steps for the cases where it matters for
the race condition. In other words, send the AP-STA-CONNECTED message
only after having authorized the STA in the driver.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 14:09:57 +02:00
Jouni Malinen
da8a38fecb Remove unused assignment from Country element generation
This looks confusing and can cause warnings from static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 12:17:43 +02:00
Jouni Malinen
33b5fc0763 PKCS#1: Do not use pointer value after freeing
The check for extra data was not dereferencing the pointer, but avoid
complaints about such uses by freeing the decrypted data only after the
check. The hexdump could have read freed memory, so that needs to be
before the freeing.

Fixes: 54ac6ff8c4 ("PKCS 1: Add function for checking v1.5 RSA signature")
Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 12:17:10 +02:00
Jouni Malinen
231d86ef91 OpenSSL: Check EVP_MAC_update() return value more consistently
Check this in crypto_hash_update() to be more consistent and report any
error in crypto_hash_finish().

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 12:06:04 +02:00
Jouni Malinen
a92694b001 OpenSSL: Check EVP_CIPHER_CTX_set_padding() return value more consistently
Even though this function is documented to always return 1, be more
consistent in checking that to avoid warnings from static analyzers.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 11:58:48 +02:00
Jouni Malinen
88bc6711a7 TDLS: Avoid unnecessary copying of the Link Identifier element
This memcpy was causing warnings from static analyzers since it is being
misinterpreted as copying all the data into the lnkid.bssid[] array
instead of that and the following arrays. Since the copy is not needed
at all, just use the original pointer to get rid of these warnings.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 11:51:35 +02:00
Jouni Malinen
656cf50d8b More consistent sta pointer checks in handle_assoc()
Verify that sta is not NULL before calling
hostapd_process_assoc_ml_info() that references this parameter. In
theory, sta might be NULL here if addition of the STA entry failed in
the 60 GHz case.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 00:12:59 +02:00
Jouni Malinen
29f38ebcf6 ACS: Check whether iface->current_mode is NULL before use
This line seemed to trigger SIGSEGV in some code coverage testing cases.
It is not exactly clear how that was possible, but just in case, check
that iface->current_mode is set before using it here.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-17 00:02:43 +02:00
Jouni Malinen
7a873c81ee AP MLD: Do not schedule disconnection on BSS TM Request link removal
If the BSS TM Request for imminent BSS temoval is for a non-AP MLD that
has multiple affiliated links, do not schedule full disconnection since
other links remain associated.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-16 19:46:41 +02:00
Ilan Peer
ec70d14f7c AP: MLD: Extend BSS transition management request for link removal
Allow link removal imminent indication to be added with the new
link_removal_imminent=1 parameter to BSS_TM_REQ.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-16 19:46:41 +02:00
Ilan Peer
80810929a4 WNM: Handle BTM request with Link Removal Imminent field set to 1
Based on IEEE P802.11be/D5.0, when a station is non-AP MLD with more
than one link the combination of the Link Removal Imminent field set to
1 and the BSS Termination Included field set to 1 means than only one of
the links is removed while the other links will remains associated.
Handle this case without starting a scan to find another BSS.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-16 19:12:23 +02:00
Ilan Peer
31e025c033 AP: When sending Action frames, use the AP MLD MAC address if needed
When the AP MLD sends an Action frame to a non-AP MLD, use the AP MLD
MAC address instead of the local AP address (BSSID).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-16 18:54:39 +02:00
Ilan Peer
54e6c56d25 AP: Use AP MLD MAC address for terminating MLO association
Use the AP MLD MAC address when sending Deauthentication and
Disassociation frames to a non-AP MLD.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-16 18:49:56 +02:00
Ilan Peer
0546f0e1b0 WNM: Use correct address when configured as AP MLD
When the AP is configured to operate as an AP MLD, use the AP MLD MAC
address when needed for transmission of WNM Action frames.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-16 18:43:18 +02:00
Michael-CY Lee
0af4c1478e hostapd: Check the bridge if ioctl SIOCBRADDIF fails
If ioctl() returns EBUSY on the command SIOCBRADDIF, the interface might
have already been added to the bridge by an external operation (e.g.,
netifd in OpenWrt), and linux_br_add_if() should not indicate an error.

Check whether the interface is correctly brigded when ioctl()
returns EBUSY and if so, report success.

Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2023-12-16 18:16:05 +02:00
Ilan Peer
d43a49a66d Remove a spurious tab in hostapd_eid_rnr()
Remove a spurious \tab char in hostapd_eid_rnr() between arguments to a
function.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-16 17:58:33 +02:00
Ilan Peer
a28ea8e517 AP: Fix setting MLD Parameters subfield in RNR element
In case the TBTT information is reporting about an AP in the same AP MLD
as the current AP, the AP MLD ID in the MLD Parameters subfield should
be set to 0.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-12-16 17:56:42 +02:00
Chenming Huang
40410c04f4 AP MLD: Channel switch for specific link
Link ID needs to be specified for MLD case when doing channel switch.
Add it to the driver command.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2023-12-14 13:14:37 +02:00
Dmitrijs Martinovs
7dd7ae965a DFS: Change vht_capab according to user requested bandwidth
There are different CHAN_SWITCH flows for DFS and non-DFS channels.
Non-DFS one saves previous BW value in iface->conf, but DFS flow
replaces it with a new user requested value. Setting a non-DFS channel
after a DFS one with BW = 160 would have resulted in a mismatch between
the saved BW and vht_capab (if VHT160 was not included by default). This
would have led to a check fail in the hostapd_set_freq_params()
function.

Signed-off-by: Dmitrijs Martinovs <dmartinovs@maxlinear.com>
2023-12-10 20:58:57 +02:00
Jouni Malinen
8e294c3a2c P2P: Recover from successfully requested, but not started, listen
It is possible for the start_listen() callback to be called to request
the driver to start a driver operation and stop_listen() called
immediately after that (e.g., due to a request to transmit a P2P Public
Action frame) before the driver has had time to start ROC and send an
event to notify of that. Such a sequence could result in
p2p->pending_listen_freq being left to a nonzero value without getting a
call to p2p_listen_cb() to clear it. This would stop an ongoing P2P
listen operation since no following p2p_listen() call would start the
listen due to the pending command being assumed to be in effect.

Fix this by detecting this particular sequence and clearing
p2p->pending_listen_freq.

This was found with the p2p_listen_and_offchannel_tx test case with the
new kernel scheduled and UML time-travel.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-10 19:30:44 +02:00
Jouni Malinen
a83d3132e8 WNM: Define BSS transition management reason values
Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-09 11:22:14 +02:00
Vinayak Yadawad
7ee7b046a9 nl80211: Use attribute NL80211_ATTR_BSSID to scan for specific BSSID
With changes to optimize scan for specific BSSID, there arises a
scenario where in nl80211_trigger_scan() is called with a scan
randomization enabled. A combination of NL80211_ATTR_MAC for BSSID and
scan randomization, which uses NL80211_ATTR_MAC for a different purpose,
results in invalid error for the scan request. To fix the issue use
attribute NL80211_ATTR_BSSID instead of NL80211_ATTR_MAC.

NL80211_ATTR_BSSID was introduced in kernel commit 2fa436b3a2a7
("nl80211: Use different attrs for BSSID and random MAC addr in scan
req") in 2016. Prior to that, only NL80211_ATTR_MAC could be used for
specifying the target BSSID. For backwards compatibility, add the
NL80211_ATTR_MAC attribute as well when not using a random MAC address.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2023-12-09 10:56:20 +02:00
Benjamin Berg
5bbc9462a0 tests: Test driver association ML link rejection flow
The underlying driver can reject only specific links in an association
request. In that case we will only ignore the corresponding BSS. Add a
test for this flow by simulating an association failure on the second
link specifically.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-12-06 22:41:40 +02:00
Ilan Peer
32434aa68a AP: Always include WPA_STA_AUTHORIZED in station flags mask
As otherwise, the underlying driver would not handle a change
in the 'authorized' state.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-06 21:54:08 +02:00
Ilan Peer
174a8fc416 AP MLD: Do not modify flags for link stations
All the station flags other than WPA_STA_SHORT_PREAMBLE are relevant
only for the MLD station and not to the link stations (as these flags
are related to the MLD state and not the link state).

As for the WPA_STA_SHORT_PREAMBLE, since the station is an EHT
station, it must have short preamble.

Thus, do not propagate the flags change for link stations to the driver.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-06 21:49:09 +02:00
Mikelis Vuls
58116877b6 EHT: Fix updating center freq segment 0 index for HE and VHT
Add additional check for 6 GHz operating class. Otherwise this results
in setting incorrect segment 0 index for 5 GHz 40 MHz channel 157-161,
which has the same center segment 0 index 159 as 6 GHz 320 MHz expected
channel.

Fixes: 085a3fc76e ("EHT: Add 320 channel width support")
Signed-off-by: Mikelis Vuls <mvuls@maxlinear.com>
2023-12-06 12:11:13 +02:00
Jaap Keuter
37d122c2f1 KaY: Make debug output consistent
Be consistent in capitalization and peer presentation.

Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
2023-12-06 12:11:08 +02:00
Jurijs Soloveckis
f0cb823512 EHT: Add configuration for the EHT default PE duration
Add a new configuration parameter for the duration of PE field in EHT TB
PPDU.

Signed-off-by: Jurijs Soloveckis <jsoloveckis@maxlinear.com>
2023-12-06 12:02:44 +02:00
Liangwei Dong
5a47bbc36b Add QCA vendor command to query transmit power information
Add a new QCA subcommand QCA_NL80211_VENDOR_SUBCMD_REGULATORY_TPC_INFO
and related attributes qca_wlan_vendor_attr_tpc_links,
qca_wlan_vendor_attr_tpc definition to query transmit power information
on STA interface from the driver for a connected AP.

The information includes regulatory max transmit power limit, AP local
power constraint advertised from AP's Beacon and Probe Response frames.
For PSD power mode, the information includes PSD power levels for each
subchannel of operating bandwidth. The information is driver calculated
power limits based on current regulatory domain, AP local power
constraint and other IEs. The information will be set to target. Target
will decide final TX power based on this and chip specific power
conformance test limits (CTL), and SAR limits.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-12-05 13:01:27 +02:00
Chenming Huang
9c2d6c4232 Add QCA vendor attributes for link id for HT-scan/ACS command
For AP MLD case, HT-scan and ACS happens per link. To determine the
correct link, link id is required.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2023-12-05 12:52:01 +02:00
Nagarajan Maran
7b67055794 Add QCA vendor commands for SDWF
Define subcmd IDs 235 and 236 for Service Defined Wi-Fi (SDWF).

Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
2023-12-04 17:33:27 +02:00
Chaitanya Tata
6ed8eba00d Add an option to remove RRM and supported operating class indication
Removing radio measurements and supported operating class indication
might be needed to reduce binary size for a memory constrained system
that does not need more advanced features. However, removing these is
not recommended since they can help the AP manage the network and STA
steering.

By default this functionality is enabled.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-12-03 11:43:43 +02:00
Jun Yu
4b80ad1194 Populate the new beacon hint event to wpa_msg()
Beacon hinting is a feature that can temporarily change the regulatory
rule flags on the channel where the radio hears the beacon. Add a new
event CTRL-EVENT-REGDOM-BEACON-HINT to notify the wpa_supplicant user
about an important update to the regulatory rules including which
frequencies are impacted, new power limit, and new rule flags.

Signed-off-by: Jun Yu <junyuu@chromium.org>
2023-12-02 20:48:15 +02:00
Ilan Peer
d8cae2d024 nl80211: Do not allow off channel when frequency is not specified
Do not allow offchannel operation for action frame transmission if
no frequency is specified, as this doesn't make sense.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-12-02 20:35:21 +02:00
Jouni Malinen
4f69b4a31e mesh: Fix PMKSA cache entry addition with external PMKSA management
The length of the PMK ended up getting lost when a PMKSA cache entry was
added based on externally managed information. Set the PMK length in SAE
context to get the correct length stored into the actual PMKSA cache
entry that gets created in this path.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-12-02 20:31:16 +02:00
Jaap Keuter
0302c3ad22 trace: binutils replaces bfd_hostptr_t with uintptr_t
According to this message https://marc.info/?l=binutils&m=165363679302282
the type bfd_hostptr_t is dropped in favor of uintptr_t.
Replace the use of this type in the code.

Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl>
2023-12-02 19:08:25 +02:00
Chenming Huang
d54d0d8983 AP MLD: Handle DFS in correct link
Link ID is needed for AP MLD to handle DFS events in the correct link.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-26 17:31:46 +02:00
Chenming Huang
f1fee0d1ff AP MLD: Handle channel switch event in correct link
USe the link ID information to determine the specific affiliated link
when processing channel switch events on an AP MLD.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-26 17:25:41 +02:00
Chenming Huang
fb6598864b nl80211: Add link ID when setting BSS attributes for AP MLD
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-26 17:12:46 +02:00
Chenming Huang
5487d8d9e9 nl80211: Specify link ID when sending Management frames
Extend nl80211_send_frame_cmd() to include the link ID to use for TX
with NL80211_CMD_FRAME.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-26 17:12:05 +02:00
Chenming Huang
859cbc396f nl80211: Remove links when stopping AP MLD in hostapd
There is an issue when starting a non-MLD AP on the same interface that
previous operated as an AP MLD. When the previous AP MLD got stopped,
links were not removed when using hostapd. Next non-MLD AP will fail to
start because some nl80211 operations still require link id (e.g., set
freq).

Remove links when AP MLD is stop to avoid such issue. This was already
done in the deinit_ap() handler when using wpa_supplicant, but hostapd
needs to do same.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-26 17:05:59 +02:00
Ilan Peer
780e72cc14 AP MLD: Do not include empty MLO KDEs
Do include group MLO KDEs for links for which the information is
missing.

In addition, set the KDE buffer length based on the added data.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-26 17:01:02 +02:00
Ilan Peer
ecd9ea0c8a AP MLD: Do not access WPA authenticator object if not valid
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-26 16:56:18 +02:00
Ilan Peer
21e8fcc807 nl80211: Add support for handling MLO removed links
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-26 13:42:43 +02:00
Benjamin Berg
cd79d834bf trace: Add TEST_FAIL_TAG macro to allow more narrow matching
The tag is inserted as the first item in the stack trace, making it
trivial to match against it from the test.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-26 13:00:45 +02:00
Benjamin Berg
781e87c418 trace: Allow multiple failures in one test
Refactor the backtrace matching a bit in order to allow triggering
multiple failures in one test.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-26 12:47:40 +02:00
Benjamin Berg
e62d351ce7 trace: Document function pattern prefixes
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-26 12:45:12 +02:00
Benjamin Berg
5545d995b3 trace: Share common implementation for TEST_FAIL and TEST_ALLOC_FAIL
Get rid of more or less duplicated implementation of backtrace matching
for the two testing failure cases.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-26 12:40:11 +02:00
Benjamin Berg
7d901dc7e7 trace: Use an array of skipped function names
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-26 12:14:04 +02:00
Benjamin Berg
e9bdecce4d Share TEST_FAIL/TEST_ALLOC_FAIL/GET_FAIL/GET_ALLOC_FAIL handler
Move the hostapd and wpa_supplicant control interface handlers into a
shared functions instead of duplicated implementation.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-26 12:03:47 +02:00
Andrei Otcheretianski
6fc2d1357d AP: Get rid of wpa_auth_pmksa_add3()
Simply pass another parameter to wpa_auth_pmksa_add2() instead.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-26 00:06:50 +02:00
Ilan Peer
e996704201 AP: Handle re-association from a non-AP MLD
When processing a (Re)Association Request frame and no corresponding
station is found, try to find the station using the station MLD MAC
address from the Basic ML element, as it is possible that the station
is trying to re-associate but with a different link address (in such
a case the underlying driver would not perform address translations).

When sending the (Re)Association Response frame, use the addresses from
the (Re)Association Request frame and not the AP MLD MAC address, again,
to avoid the address translation done in the driver.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-26 00:05:51 +02:00
Ilan Peer
a18f8ee0f5 AP MLD: Use MLD MAC address for SA query and response when needed
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-25 21:52:23 +02:00
Andrei Otcheretianski
d64ec94140 AP MLD: Don't include AP MLD ID in Beacon frames
IEEE P802.11be/D4.0, 9.4.2.312.2.3 states that the AP MLD ID should only
be included in some ML probe responses. Beacon frames shouldn't include
AP MLD ID.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 18:50:03 +02:00
Benjamin Berg
3bde811756 ML: Add basic handling of ML probe requests
This responds by simply embedding most of the IEs from the other links
into the ML element. This is not correct really, as inheritance rules
should be applied and an inheritance element may need to be added.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 18:47:44 +02:00
Benjamin Berg
ecb22ba12e AP: MLO: Add helper to iterate all links of an AP MLD
Add a simple for_each_mld_link helper that sets first variable to the
hapd data for every link. It takes the interfaces and MLD ID as
arguments and two extra integers as scratch variables (for the interface
and bss offsets).

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-25 18:30:57 +02:00
Benjamin Berg
db2bc0364f AP: Add parsing of ML probe requests
This adds the parsing of ML probe requests. Handling will be added by a
later commit.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 18:29:50 +02:00
Benjamin Berg
82453a3482 AP: Split Probe Response frame IE generation into a separate function
To support ML probe request we will need to include IEs from the other
hapd instances in the response. Split the function to allow just
generating the per-instance IEs separately.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 18:22:41 +02:00
Benjamin Berg
6b5e00a80e AP: Use a struct for Probe Response generation in/out params
This effectively moves setting the csa/ecsa/cca position to happen
only when a Probe Response template for offloading is generated.

One could probably avoid the global variable altogether, as the
value is immediately consumed into struct {csa,cca}_settings.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 18:10:18 +02:00
Benjamin Berg
4a1cd7f545 nl80211: Report link specific association failures from the kernel
If a link specific error occured, mark the offending link within the
association parameters.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 17:06:52 +02:00
Benjamin Berg
6ba9b9440b nl80211: Add support to parse out link from error reply
The kernel may report the link that caused an error by setting
NLMSGERR_ATTR_OFFS pointing to the NL80211_ATTR_MLO_LINKS element
that was the reason for the error.

Parse this information if the optional struct nl80211_err_info is
passed to send_and_recv_msgs().

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 17:03:52 +02:00
Benjamin Berg
92d8d1d760 MLD: Add a TEST_FAIL to fail one link in an MLD association.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 16:49:43 +02:00
Benjamin Berg
846e65c7ce MLD: Return status code for links when rejecting association
When the TX link rejects the association, return a status code for all
requested links. For simplicity, just return "TX link not accepted" so
that clients may try to connect to other links. This could be improved
to explicitly reject each link if directly associating to the link will
not work either.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 16:49:27 +02:00
Benjamin Berg
c55a272f66 EHT: Define status codes from IEEE P802.11be/D4.0
Add the new status code that had not yet been defined.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 14:03:41 +02:00
Ilan Peer
d95838b793 AP: Add support for testing ML link removal
Add support for testing ML link removal to hostapd. While such support
should inherently be integrated with the underlining driver, simulate
the inclusion of the ML reconfiguration element in hostapd.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 13:58:37 +02:00
Ilan Peer
73a6f5c37e AP MLD: Make BSS parameter change variable
As a preparation to support link removal, make the BSS parameter
change count variable.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-25 13:41:21 +02:00
Andrei Otcheretianski
cb90aa3acf wpa_supplicant: Remove duplicate logic in wpas_ml_element()
Parsing multiple RNR elements already exists in
wpa_bss_parse_basic_ml_element(), so wpas_ml_element() just duplicates
the same code. Combine the functionality of both these functions and
remove the duplicate.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 12:03:52 +02:00
Benjamin Berg
b3aafd5a87 common: Simplify and avoid confusing defragmentation API
Three functions were provided for defragmentation. First
ieee802_11_defrag(), ieee802_11_defrag_mle() and then
ieee802_11_defrag_data() which would do the actual job. With
ieee802_11_defrag() picking the member in the elements struct for an
EID. The problem with this is, that for the Multi-Link element, there
are multiple entries in the elems struct depending on its type. As such,
remove the intermediate function and simply pass the correct members
directly.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-25 10:56:56 +02:00
Johannes Berg
0f7d15dd38 ieee802_11_defs: Fix EHT_ML_PRES_BM_PROBE_REQ_AP_MLD_ID
This Presence Bitmap field is B4..B15 of the Multi-Link Control field
and the value used here is for that full 16-bit field, not just within
the Presence Bitmap field.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-11-24 23:09:23 +02:00
Benjamin Berg
645ec9b58a nl80211: Do a roundtrip to reset event supressions
With nl80211 we need to supress the kernel generated event for any
disconnect and deauthenticate. This code is a bit fragile, as it
assumes that an event will happen. Commit b898b65582 ("nl80211: Do
not ignore disconnect event in case of !drv->associated") changed this
to only disconnect when the driver knows it is associated (apparently
required for P2P), however, deauthentication may also occur without
being associated yet.

Looking at the issue, what we are really interested in is whether the
event belongs to a disconnect/deauth command that we have send
ourselves. Any event happening after the disconnect/deauth completes
should not be suppressed (or after the next connect/auth as that would
be sufficient). We therefore need to know from the event stream
whether events were generated before or after disconnect/deauth
command completion.

To do so, send a simple command on the nl_event socket. As this will
be returned back to us in the correct order with regard to the events.
We can therefore use it to safely reset our internal
ignore_next_local_{deauth,disconnect} variables.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2023-11-24 22:49:15 +02:00
Vinayak Yadawad
69ea73bfed nl80211: Update port authorized indication for MLO address
Handling of port authorized event for STA currently handles the
connected BSSID. This needs additional handling to support the AP MLD
address in case of MLO connection. The connected_addr expected by
cfg80211_port_authorized() is mld_addr for ML connection case.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2023-11-24 18:49:01 +02:00
Nicolas Escande
6f014c0d01 ACS: Add 320 MHz support for EHT
Enable support for ACS in the IEEE 802.11be/320 MHz case. To do so we
just:
  - add channel definitions for the 320 MHz blocks of the 6 GHz band
  - handle CONF_OPER_CHWIDTH_320MHZ in the different cases
  - restrict 320 MHz to ieee80211be=1 only

Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
2023-11-24 18:40:24 +02:00
Jurijs Soloveckis
f0aea885f8 EHT: Fix HE Channel Center Freq Seg0/Seg1 for 6 GHz 320 MHz cases
Fix for the HE Channel Center Freq Seg0/Seg1 within the HE 6GHz
Operation Information field. As downgrade of bandwidths for VHT and HE
when using puncturing is TODO for 320 MHz and/or if puncturing is
disabled and bandwidth is 320 MHz, the same rules as for 160 MHz should
be applied for Channel Center Freq Seg0/Seg1 within 6 GHz Operation
Information field.

Signed-off-by: Jurijs Soloveckis <jsoloveckis@maxlinear.com>
2023-11-24 18:38:32 +02:00
Jurijs Soloveckis
07c03a6557 EHT: Fix conditions for including EHT Operation Information field
Include EHT Operation Information field only if the operating bandwidth
is 320 MHz or there is at least one punctured 20 MHz subchannel. This
behavior is defined in IEEE P802.11be/D4.0, 35.15.1 (Basic EHT BSS
operation).

Signed-off-by: Jurijs Soloveckis <jsoloveckis@maxlinear.com>
2023-11-24 18:36:27 +02:00
Juliusz Sosinowicz
01d95b75b8 SAE: prime_len means length in bytes not bits
The prime_len variable is used as the length in bytes but it is set as
the length in bits. This fixes the sae DH group tests with wolfSSL.

Fixes: f8f20717f8 ("SAE: Use const_time selection for PWE in FFC")
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-24 18:07:34 +02:00
Jouni Malinen
a02585cef7 MBSSID: Use BIGTK from the transmitted BSS for beacon protection
MBSSID shares a single Beacon frame with multiple BSSs. This implies
that the key used for beacon protection (BIGTK) needs to be shared. The
nontransmitted BSSs managed their own BIGTK previously and that resulted
in providing incorrect value to the stations associated with those BSSs.
Use the BIGTK from the transmitted BSS to fix this.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-24 12:53:09 +02:00
Vinayak Yadawad
73b49016f2 Fix references to correct driver capability flag for PSK/OWE offloads
Fix references to the appropriate driver capability drv_flags2. The
initial version used the incorrect drv_flags value and by doing so,
ended up using incorrect driver capabilities (DEAUTH_TX_STATUS,
BSS_SELECT, TDLS_SUPPORT) which could result in incorrect OWE
functionality for both AP and STA cases.

Fixes: d984c7b298 ("hostapd: Add support for OWE offload for STA/AP interface")
Fixes: da364180fb ("hostapd: Support 4-way handshake offload for AP/P2P GO")
Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2023-11-23 11:41:18 +02:00
Jouni Malinen
415839406a OpenSSL: Allow openssl_ciphers override with Suite B config on server
The openssl_ciphers parameter is a global data entry on the server
instead of the per-connection design on client. As such, hostapd needs
to make a local copy of the global value and use that whenever setting
per-connection parameters. This is needed particularly when testing
Suite B functionality where the Suite B specific parameters might end up
overriding the cipher list.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-22 19:39:45 +02:00
Prasanna JS
e9b13938a9 Add EHT mode support for ratemask configuration vendor command
Extend enum qca_wlan_ratemask_params_type to configure ratemask for EHT
mode.

Signed-off-by: Prasanna JS <quic_pjs@quicinc.com>
2023-11-21 21:14:30 +02:00
Purushottam Kushwaha
239469eb1d Define new command in qca_tsf_cmd to get AP channel switch TSF time
Define a new command QCA_TSF_SYNC_GET_CSA_TIMESTAMP in qca_tsf_cmd to
retrieve the TSF time value at which the AP will move and starts
beaconing on a new channel. Userspace queries this TSF after receiving
NL80211_CMD_CH_SWITCH_STARTED_NOTIFY event on the AP interface. This TSF
can be communicated via an OOB mechanism to connected STAs which may
fail to receive the CSA frames due to channel congestion.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2023-11-21 21:13:44 +02:00
Jouni Malinen
30748d2b3f SAE: Require PMKID match to PMKSA with SAE-EXT-KEY
This check was supposed to be done for all SAE cases other than FT
roaming.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-11 23:44:52 +02:00
Vinayak Yadawad
b089803091 hostapd: Add support for SAE offload for AP interface
The driver advertising SAE AP offload support would take care of SAE
authentication and PMK generation at the driver/firmware. This feature
requires the driver to be supporting 4-way handshake offload to process
the generated PMK at the driver level for 4-way handshake.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2023-11-11 23:44:01 +02:00
Vinayak Yadawad
d984c7b298 hostapd: Add support for OWE offload for STA/AP interface
The driver advertising OWE offload support would take care of
Diffie-Hellman Parameter element generation and processing part. The
driver would be responsible for OWE PMK generation in this case.

Avoid the Diffie-Hellman Parameter element handling in
wpa_supplicant/hostapd for drivers advertising OWE offload support. This
change is applicable only for drivers supporting 4-way handshake
offload.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2023-11-11 22:36:24 +02:00
Vinayak Yadawad
da364180fb hostapd: Support 4-way handshake offload for AP/P2P GO
Add support for offloaded 4-way handshake in AP/P2P GO mode. For drivers
supporting the AP PSK offload, wpa_supplicant/hostapd passes down the
PSK for the driver to handle the 4-way handshake. The driver is expected
to indicate port authorized event to indicate that the 4-way handshake
is completed successfully.

Signed-off-by: Vinayak Yadawad <vinayak.yadawad@broadcom.com>
2023-11-11 22:34:06 +02:00
Kaidong Wang
790beb84ac Adjust the SNR when comparing BSSes based on Tx power config
The max transmit power of Standard Power (SP) Access Points (AP) on
6 GHz band and APs on 2.4 GHz and 5 GHz bands is limited by effective
isotropic radiated power (EIRP), while the max transmit power of Low
Power Indoor (LPI) APs on 6 GHz Band is limited by power spectral
density (PSD). Therefore the max transmit power of LPI APs grows as the
channel width increases, similar to the noise power which has constant
PSD.

Adjust the SNR of BSSes based on the transmit power config and max
channel width. EIRP limited APs usually have constant max transmit power
on different channel widths, their SNR decreases on larger channel width
because the noise power is higher, while PSD limited APs have constant
SNR over all channel widths.

Signed-off-by: Kaidong Wang <kaidong@chromium.org>
2023-11-10 16:34:01 +02:00
Ben Greear
99a8dd0495 MLD: Support multiple RNR elements
Beacon frames are allowed to optionally include one more more Reduced
Neighbor Report elements. Only the first one was parsed previously.
Extend this to use a loop to go through all included RNR elements.

Signed-off-by: Ben Greear <greearb@candelatech.com>
2023-11-07 18:55:50 +02:00
Jouni Malinen
84c33cc81f MBSSID: Use DTIM Count 0 in the Beacon template for nontransmitted BSSID
The driver is expected to update the DTIM Count field for each BSS that
corresponds to a nontransmitted BSSID. Initialized this value to 0 in
the Beacon frame template so that the DTIM count would be somewhat
functional even if the driver were not to update this.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-07 10:44:28 +02:00
Chaitanya Tata
3e1fb2dec7 dragonfly: Fix legendre symbol calculation failure handling
In case of low-memory conditions, the computation for legendre symbol
can fail and return -2 as per documentation, but the check for that
was missed here. And this can can cause an infinite loop searching for
qr and qnr if the error repeats for each attempt.

Break the loop if calculation fails, we can leave retry to the callers
or user. This is similar to the way allocation and generation of a new
random number was handled in this loop.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
2023-11-06 20:07:05 +02:00
Mohan Prabu
76ae985b0a Remove QCA_WLAN_VENDOR_ATTR_CONFIG_MLO_LINK_ID constraint
Currently the documentation for QCA_WLAN_VENDOR_ATTR_CONFIG_MLO_LINK_ID
indicates it is only for use inside nest attribute
QCA_WLAN_VENDOR_ATTR_CONFIG_MLO_LINKS.  Update the documentation to
allow it to be used outside that nest as well.

Signed-off-by: Mohan Prabu <quic_mprabub@quicinc.com>
2023-11-06 20:02:46 +02:00
Jouni Malinen
cc1867f5ca MLD STA: Use MLD MAC address as destination for EAPOL-Key request
Also this EAPOL frame uses the MLD MAC address of the AP MLD when sent
during an MLO association.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-11-06 20:02:09 +02:00
Rohan Dutta
c92311fed7 MLD STA: Fix destination address for Group Key handshake msg 2/2
For MLO association, specify destination address as the MLD MAC address
for sending Group Key msg 2/2.

Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com>
2023-11-06 19:58:22 +02:00
Gokul Sivakumar
c0da381a31 nl80211: Add capa.flags2 to STATUS-DRIVER
This adds the newer driver capability "flags2" bitmask to the
hostapd_cli/wpa_cli "status driver" result.

Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
2023-11-06 15:15:59 +02:00
Gokul Sivakumar
d193726aa1 nl80211: Dump driver_flags2 in debug prints
This was already done for driver_flags, but the newer driver_flags2 was
not covered here.

Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
2023-11-06 15:15:41 +02:00
Gokul Sivakumar
ed1ae82a39 Update the driver_flags2 to string conversion
Populate the switch case in the driver_flag2_to_string() function with
the full list of feature MACROs represented with the "flags2" bitmask.

Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
2023-11-06 15:14:32 +02:00
Gokul Sivakumar
bbc7ffe852 Rename driver capability for radar background detection
Use the WPA_DRIVER_FLAGS2_ prefer for this to be more consistent.

Signed-off-by: Gokul Sivakumar <gokulkumar.sivakumar@infineon.com>
2023-11-06 15:07:01 +02:00
Chung-Hsien Hsu
6cc78b3945 nl80211: Set NL80211_WPA_VERSION_2 vs. _3 based on AKM
Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu@infineon.com>
Signed-off-by: Daisuke Mizobuchi <mizo@atmark-techno.com>
2023-11-05 20:35:10 +02:00
Chung-Hsien Hsu
c3b8452e0e nl80211: SAE authentication offload support
Set WPA_DRIVER_FLAGS2_SAE_OFFLOAD flag if the driver indicates SAE
authentication offload support for STA mode. Allow SAE password to be
provided to the driver in such cases when using the CONNECT command.

Signed-off-by: Chung-Hsien Hsu <chung-hsien.hsu@infineon.com>
Signed-off-by: Daisuke Mizobuchi <mizo@atmark-techno.com>
2023-11-05 20:35:07 +02:00
Ze Gan
750403f3ad mka: Fix re-establishment by resetting MI
The key server may be removed due to the ingress packets delay. In this
situation, the endpoint of the key server may not be aware of this
participant who has removed the key server from the peer list. Because
the egress traffic is normal, the key server will not remove this
participant from the peer list of the key server. So in the next MKA
message, the key server will not dispatch a new SAK to this participant.
And this participant cannot be aware of that that is a new round of
communication so that it will not update its MI at re-adding the key
server to its peer list. So we need to update MI to avoid the failure of
re-establishment MKA session.

Signed-off-by: Ze Gan <ganze718@gmail.com>
2023-11-05 19:25:27 +02:00
Ze Gan
61f0e19b86 mka: Fix unexpected cleanup on missing MKA_LIFE_TIME while installing SC/SA
The key server may not include dist sak and use sak in one packet.
Meanwhile, after dist sak, the current participant (non-key server) will
install SC or SA(s) after decoding the dist sak which may take few
seconds in real physical platforms. Meanwhile, the peer expire time is
always initialized at adding the key server to peer list. The gap
between adding the key server to peer list and processing next use sak
packet may exceed the threshold of MKA_LIFE_TIME (6 s). It will cause an
unexpected cleanup (delete SC and SA(s)), so update the expire timeout
at dist sak also.

Signed-off-by: Ze Gan <ganze718@gmail.com>
2023-11-05 19:13:07 +02:00
David Ruth
c84388ee4c Compile-time config for dynamically loading libraries in wpa_supplicant
Prevent loading arbitrary executable code based on config at runtime,
while allowing libraries to be specified at compile time when they are
known in advance.

Add the ability to configure libraries to load at compile time.
	* CONFIG_PKCS11_ENGINE_PATH - pkcs11_engine library location.
	* CONFIG_PKCS11_MODULE_PATH - pkcs11_module library location.
	* CONFIG_OPENSC_ENGINE_PATH - opensc_engine library location.

Add flags with the ability to set each of the libraries to NULL and
prevent loading them at runtime.
	* CONFIG_NO_PKCS11_ENGINE_PATH - prevents loading pkcs11_engine
	  library.
	* CONFIG_NO_PKCS11_MODULE_PATH - prevents loading pkcs11_module
	  library.
	* CONFIG_NO_OPENSC_ENGINE_PATH - prevents loading opensc_engine
	  library.
	* CONFIG_NO_LOAD_DYNAMIC_EAP - prevents loading EAP libraries at
	  runtime.

Signed-off-by: David Ruth <druth@chromium.org>
2023-11-05 10:23:29 +02:00
Juliusz Sosinowicz
890953a32c wolfSSL: Old FIPS APIs have void return
Fix the calls to wc_AesEncryptDirect(). Old versions of wolfCrypt FIPS
had wc_AesEncryptDirect() return void instead of int. Fix this build
issue.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
ec7f064fa7 wolfSSL: Implement DPP backend functions
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
b37238d3ac wolfSSL: Set up generator manually in FIPS build
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
8dabc1fede wolfSSL: Get EC generator for DPP
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
732ed5abe1 wolfSSL: Add crypto_ecdh_init2()
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
15a7c9b9e3 wolfSSL: Refactor crypto ECC section
Use heap allocated objects and improve error checking.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:41:26 +02:00
Juliusz Sosinowicz
41b5c9d8dc wolfSSL: Use wc_ecc_get_curve_size_from_id()
Avoid use of direct member access.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
378bef3697 wolfSSL: Use wc_ecc_forcezero_point() in non-FIPS builds
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
de38571b86 wolfSSL: More complete crypto_ec_key_group()
Add more curves and check if brainpool support is built.

Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
d48f6b9138 wolfSSL: EC group-to-id conversion into a helper function
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
a16916b749 wolfSSL: Improve logging
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
7ebb5469b3 wolfSSL: Improve error checking and logging in AES functions
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
10fd91d8fb wolfSSL: Better error message in pbkdf2_sha1() for FIPS password failure
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
aa4c4d079b wolfSSL: Always clean up resources and log errors in wolfssl_hmac_vector()
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
644d87c34a wolfSSL: Improve error checking in vector hashing functions
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
5e20b924da wolfSSL: Add crypto logging macros
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
a0e8d9ae71 wolfSSL: Add FIPS warning
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
48a65d47cd wolfSSL: Put wolfSSL headers in alphabetical order
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
a2eeb7f6dd wolfSSL: Add more precise logging in wolfssl_handshake()
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Juliusz Sosinowicz
83f144bf6a wolfSSL: Debug print ciphersuites
Signed-off-by: Juliusz Sosinowicz <juliusz@wolfssl.com>
2023-11-04 18:18:25 +02:00
Jouni Malinen
568a5a8159 EHT: Include crypto.h to avoid implicit function definition
crypto_ec_*() were not defined in some build configuration cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-11-04 15:05:15 +02:00
Ilan Peer
a8517c132c Add support for AKM suite 00-0F-AC:23
Add support for Authentication negotiated over IEEE Std 802.1X
with key derivation function using SHA-384.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-11-03 17:08:36 +02:00
Daniel Gabay
005b0ce367 defs: Enclose all structs between the pragmas
Many of the STRUCT_PACKED structs are not within the pragmas resulting
in wrong packing using MSVC. Fix it by moving pragma to EOF to ensure
proper packing.

Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
2023-11-03 16:29:55 +02:00
Vignesh C
41a60f6586 hostapd: Add support to send CW change notification
Add hostapd_cli command to notify channel width change to all
associated STAs.

Notify Channel Width frame for HT STAs.
(IEEE P802.11-REVme/D4.0, 9.6.11.2)

Operating Mode Notification frame for VHT STAs.
(IEEE P802.11-REVme/D4.0, 9.6.22.4)

Usage: hostapd_cli notify_cw_change <channel_width>
<channel_width> = 0 - 20 MHz, 1 - 40 MHz, 2 - 80 MHz, 3 - 160 MHz.

Co-developed-by: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
Signed-off-by: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
Signed-off-by: Vignesh C <quic_vignc@quicinc.com>
2023-11-03 16:19:11 +02:00