Commit graph

19759 commits

Author SHA1 Message Date
Benjamin Berg
ebd18f1ade WNM: Rename wnm_dissoc_addr
Use "disassoc" instead of "dissoc" when referring to disassociation.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 12:48:25 +03:00
Benjamin Berg
93eb3b83c6 WNM: Store whether disassociation address is an MLD MAC address
Commit 17a2aa822c ("WNM: Follow BTM procedure if the last link is
dropped") added code to store either the MLD MAC address or BSSID when
being disassociated. However, it did not save which one was stored
making the tests later on awkward.

Store whether it was an MLD MAC address or not and then do the test
accordingly.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 12:48:25 +03:00
Benjamin Berg
63ac001ed2 WNM: Only trigger selection logic for own scans
Commit e508c070c4 ("WNM: Keep BTM information until connection
completes") changed the logic so that much of the information about a
transition management request will be kept around for longer. However,
doing this also implies that the scan logic can be called multiple times
with wnm_dialog_token being set.

Add a guard to bail out if the scan was not done for a BTM request. But,
add it after the transition candidate validity check so that we reset
the state when a new scan invalidated it.

However, invalidation does not make sense for any scan, primarily an ML
probe request during a connection attempt should not trigger
invalidation. So move the call to wnm_scan_process() further down in the
list to avoid issues.

Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
2024-08-02 12:48:18 +03:00
Purushottam Kushwaha
bb96540ef5 Add QCA vendor attribute to skip recently scanned channels
Add a new vendor attribute
QCA_WLAN_VENDOR_ATTR_SCAN_SKIP_CHANNEL_RECENCY_PERIOD for sub command
QCA_NL80211_VENDOR_SUBCMD_TRIGGER_SCAN to skip the recently scanned
channels within specified time (in ms), thus reducing the number of
channels for requested scan.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2024-08-01 20:16:50 +03:00
Veerendranath Jakkam
bc43e75b2b MLD STA: Fix destination address for EAPOL frames
For MLO association, specify the destination address as the AP MLD MAC
address for sending EAPOL frames. Previously, this was set to the BSSID
in all cases (and hoped for the driver to map it to MLD MAC address when
needed).

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-08-01 20:15:07 +03:00
David Bauer
69d18ab9f2 bgscan: Add OWE transition mode SSID to network scan
Add transition mode SSIDs to the SSID scan-list for bgscan. This is
currently missing and bgscan fails to scan for SSIDs on the OWE
transition network if one is currently used.

Signed-off-by: David Bauer <mail@david-bauer.net>
2024-08-01 18:16:34 +03:00
David Bauer
56e8f8bf34 OWE: Enable roaming between OWE APs
This allows to use the ROAM control interface command to force roaming
on a transition network. Previously, this was not possible, as the open
SSID is stored for the connection profile. Add a new function to also
return OWE transition networks if the profile SSID is set as the
transition-ssid for the OWE RSN network.

Signed-off-by: David Bauer <mail@david-bauer.net>
2024-08-01 18:06:54 +03:00
David Bauer
ddfed3f084 OWE: Reduce code duplication in OWE element parsing
Reduce the code-duplication for methods handling the OWE transition
mode.

Signed-off-by: David Bauer <mail@david-bauer.net>
2024-08-01 18:01:07 +03:00
Johannes Berg
1e54160515 hostapd: Fix BSS parameters change count on link removal
The value currently is simply incremented, but it must not
reach 255 and rather wrap around from 254 to 0, since in
the Reduced Neighbor Report 255 means unknown. Fix that.

Fixes: d95838b793 ("AP: Add support for testing ML link removal")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2024-08-01 17:30:12 +03:00
Diya Sati
21c3a7494c Add Link ID attribute for external ACS vendor command
The Link Id attribute is required for
qca_wlan_vendor_attr_external_acs_event to identify the link on which
the command is received for an AP MLD.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-08-01 10:38:24 +03:00
Shiva Sankar Gajula
5942965955 Add link ID attribute to ADD_STA_NODE QCA vendor command for AP MLD
Add QCA_WLAN_VENDOR_ATTR_ADD_STA_NODE_LINKID attribute to the
ADD_STA_NODE command to identify a specific link affiliated to an AP
MLD.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-08-01 10:37:10 +03:00
Purushottam Kushwaha
e1ab680c98 Add QCA vendor subcommand to request audio transport switch
Add a new sub command QCA_NL80211_VENDOR_SUBCMD_AUDIO_TRANSPORT_SWITCH
to request the audio data transport switch in both the command and event
path. This is used when two or more audio data transports are available
between peers.

Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
2024-08-01 10:32:00 +03:00
Vinay Gannevaram
7e0e69cfea SAE: Send external auth status after sending Authentication frame
The driver might delete the STA node details on receiving external auth
status. In SAE authentication failure case on the AP, an Authentication
frame with a failure status is sent to the driver after sending the
external auth status. Authentication frame transmission didn't have a
dependency with STA node details earlier, but with MLO, Authentication
frames should be transmitted using the link address for a given MLD MAC
address by the supplicant. Since MLD to link address translation is done
by the driver, the STA node details are required to transmit the
Authentication frame. Hence, send external auth status to the driver
after sending the Authentication frame.

SAE external auth was introduced in commit 4ffb0fefe4 ("hostapd:
Support external authentication offload in AP mode"), which requires the
change in order of sending Authentication frame and auth status in case
of failure when using MLO.

Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
2024-07-31 18:28:39 +03:00
Jouni Malinen
be6e4279fa RSNO: Verify all RSNE/RSNXE variants in multi-link cases
Use the RSN Override Link KDE to include the override variants of the
RSNE/RSNXE for each link so that all variants are verifies when
processing the protected EAPOL-Key message 3/4.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 19:56:00 +03:00
Jouni Malinen
4d110b4f87 tests: More detailed error logging for RSN overriding with MLD
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 18:52:15 +03:00
Jouni Malinen
521374b978 RSNO: Include all RSNE/RSNXE variants in EAPOL-Key message 3/4
This allows all variants to be verified based on a protected frame to
achieve robust downgrade protection.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 18:52:15 +03:00
Jouni Malinen
6f522baa1b RSNO: Use SNonce cookie to indicate support for RSN overriding
This provides an implicitly protected (SNonce is used as an input to PTK
derivation) mechanism for a STA to indicate support for RSN overriding
in a manner that does not cause interopability issues with deployed APs.

In addition, update sm->SNonce on the Authenticator only based on
message 2/4 since that is the only EAPOL-Key message that is defined to
provide the actual SNonce value. While clearing of this internal buffer
on message 4/4 might not cause issues, it is better to keep the actual
SNonce value here since the SNonce cookie can be used at a later point
in the sequence.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 12:16:05 +03:00
Jouni Malinen
62ca121f96 RSNO: Use the RSN Selection element to indicate which variant was used
This replaces the use of the RSNE Override and RSNE Override 2 elements
with empty payload to indicate which RSNE variant was used.

In addition, this adds stricter validation of the RSNE in
(Re)Association Request frame to allow only the pairwise cipher suites
and AKMs listed in the indicated RSNE variant to be used.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 12:16:05 +03:00
Jouni Malinen
524c452153 RSNO: Remove unused override element generation
The separate RSNOE/RSNO2E/RSNXOE buffers were not actually used on the
Authenticator, so remove them.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-30 12:16:05 +03:00
Chenming Huang
13648dde91 FILS: Check for potential NULL return
hostapd_eid_assoc_fils_session() might return NULL if memory allocation
fails. This NULL value then will be used for invalid calculation and
cause unspecified behavior or be dereferenced unexpectedly. Avoid this
with an explicit check of the returned pointer.

Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
2024-07-25 21:03:59 +00:00
Adil Saeed Musthafa
376adfea8d RSNO: Protect wpa_ie_buf3 from reuse explicitly
Use else-if check for better clarity regarding usage of wpa_ie_buf3 to
make it explicit that memory is allocated for this pointer only once.

Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
2024-07-25 21:03:51 +00:00
Jouni Malinen
4adf234cd3 RSNO: Remove override elements from EAPOL-Key msg 3/4
This was not done in case the STA did not use RSN overriding.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-25 19:22:00 +00:00
Jouni Malinen
9732c8b85c wlantest: Remove unused QoS handling from GCMP nonce generation
This was copied from CCMP, but is not needed (and can trigger compiler
warnings) with GCMP.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-25 00:39:30 +00:00
Jouni Malinen
e0053bf9d0 tests: Long extra KDE in EAPOL-Key msg 3/4
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-24 20:35:11 +00:00
Jouni Malinen
296104d35c Testing functionality to allow EAPOL-Key Reserved field to be set
The new hostapd configuration parameter eapol_key_reserved_random=1 can
be used for testing STA/Supplicant functionality to accept a random
value in the Reserved field within EAPOL-Key frames.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-24 17:22:42 +00:00
Jouni Malinen
2e4c612dd2 Allow RSNE/RSNXE/RSNOE/RSNO2E/RSNXOE to be replace for testing
This is convenient for testing STA behavior with various RSN element
combinations and special cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-24 01:01:29 +00:00
Jouni Malinen
bb61f6cb95 RSNO: Support over two octets of RSNXOE capabilities
The RSNXE generation function was extended to support this earlier, but
that update was missed from the RSNXOE variant.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-23 21:36:46 +00:00
Jouni Malinen
8b2ddfdbb6 RSNO: Allow RSNXE to be omitted
Add an explicit rsn_override_omit_rsnxe=1 configuration parameter to
allow the RSNXE to be omitted when using the RSNXOE and wanting to
minimize interoperability issues with STAs that might recognize the
RSNXE, but not handle it correctly, e.g., when multiple octets of
payload is included.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-23 21:20:45 +00:00
Hu Wang
92374d59d4 Enhance select_network() to trigger new scans in some cases
wpa_supplicant select_network() relies on fast_associate to reuse old
scan results. However, this approach does not apply in some cases in
Android:

1 - If the selected network is hidden, and the SSID is in Chinese,
Android switches between fallback SSIDs, necessitating a new scan for
switching between different hidden SSIDs.

2 - Similarly, if the selected SSID is OWE (Opportunistic Wireless
Encryption), and the OWE SSID bands have been changed, select_network()
requires a fresh scan to discover hidden OWE SSIDs.

To address these, enhance select_network() to trigger new scans instead
of relying on fast_associate. This improves network selection behavior
in Android.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-22 19:01:18 +00:00
Veerendranath Jakkam
ff99012d84 RSNO: Use correct MLO capability while fetching RSNE/RSNXE
Use current connection MLO capability to fetch the appropriate
RSNE/RSNXE variant while processing association event.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-22 18:50:24 +00:00
Veerendranath Jakkam
526ea193c8 Fallback to RSNXE when AP is not using valid RSN Overrding
wpa_supplicant was ignoring RSNXE also if the AP is not using valid
RSN overriding combination when the STA supports RSN overriding. Fix
this fallback to the RSNXE when AP is not using valid RSN overriding.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-22 18:48:20 +00:00
Vinay Gannevaram
4417b5ba86 Add QCA vendor interface to support Unsynchronized Service Discovery
Add a new QCA command QCA_NL80211_VENDOR_SUBCMD_USD and related
attributes to support Unsynchronized Service Discovery (USD).

Device in active subscriber role sends SDF frames with service
information to find devices that advertise or publish the required
services. Device address, operation type, instance id, service_id,
channel info, service specific info, element container attribute, and
timeout are sent to the driver to initiate USD publish or USD subscribe
operation. The driver sends QCA_NL80211_VENDOR_SUBCMD_USD event with
instance_id and the USD operation status. QCA_NL80211_VENDOR_SUBCMD_USD
is also used to update publish operation and to cancel the publish or
subscribe operation for a service. It also allows all the operations to
be terminated using the USD flush command.

Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
2024-07-20 21:00:21 +00:00
Jouni Malinen
8d54863550 tests: RSNE/RSNXE overriding
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
765c48d5ad RSNE/RSNXE overriding for STA
Add support for RSNE/RSNXE Override elements. Use these elements to
determine AP's extended RSN parameters.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
d0b55eb360 Make driver capabilities for AKM suites available within wpa_supplicant
In addition, add some of the previously missed AKM suites from the
default capabilities.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
5488e120d3 Use helper functions to access RSNE/RSNXE from BSS entries
This is a step towards allowing the contents of RSNE/RSNXE to be
overridden.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Veerendranath Jakkam
341bcb2b5c nl80211: Add a capability flag for RSN overriding
Add a new capability flag based on the nl80211 feature advertisement for
RSN overriding support.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-20 21:28:28 +03:00
Veerendranath Jakkam
6fad7224be Add QCA vendor feature flags to indicate RSN override elements support
Add a separate feature flag for STA mode to indicate support for RSN
override elements.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
157b016383 RSNE/RSNXE overriding for AP
Allow hostapd to be configured to advertised two separate sets of
RSNE/RSNXE parameters so that RSNE/RSNXE can use a reduced set of
capabilities (e.g., WPA2-Personal only) for supporting deployed STAs
that have issues with transition modes while the new override elements
can use a newer security option (e.g., WPA3-Personal only) for STAs that
support the new mechanism.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
b8a2d11ae0 Allow RSNXE Override element to override RSNXE contents during parsing
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
48ca68f6f8 Allow RSNE Override element to override RSNE contents during parsing
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
c16ac89be2 Add RSN overriding elements into IE parsing
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
6b0ce29d25 Define WFA vendor specific element types for RSNE/RSNXE overriding
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2024-07-20 21:28:28 +03:00
Jouni Malinen
e99cdfae41 The main branch is now used for v2.12 development
Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-20 21:16:55 +03:00
Jouni Malinen
d945ddd368 Preparations for v2.11 release
Update the version number for the build and also add the ChangeLog
entries for both hostapd and wpa_supplicant to describe main changes
between v2.10 and v2.11. Update the copyright years for the main
programs.

Signed-off-by: Jouni Malinen <j@w1.fi>
2024-07-20 21:04:37 +03:00
Davide Caratti
aa2dfae5eb dbus: Fix memory leak with Bonjour params for a P2P UPnP service
Using D-Bus, it is possible to add a valid UPnP service where 'query'
and 'response' are specified. In this case, memory for 'query' and
'response' is allocated but not used nor freed. Valgrind complains as
follows:

 42 bytes in 1 blocks are definitely lost in loss record 32 of 75
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54F41A: wpas_dbus_handler_p2p_add_service (dbus_new_handlers_p2p.c:2762)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

 49 bytes in 1 blocks are definitely lost in loss record 37 of 75
    at 0x484C214: calloc (vg_replace_malloc.c:1675)
    by 0x41C673: wpabuf_alloc (wpabuf.c:124)
    by 0x41C673: wpabuf_alloc_copy (wpabuf.c:162)
    by 0x54F348: wpas_dbus_handler_p2p_add_service (dbus_new_handlers_p2p.c:2755)
    by 0x53B9A2: msg_method_handler (dbus_new_helpers.c:356)
    by 0x53B9A2: message_handler (dbus_new_helpers.c:412)
    by 0x4EAB4B8: dbus_connection_dispatch (in /usr/lib64/libdbus-1.so.3.19.13)
    by 0x5495DF: dispatch_data (dbus_common.c:37)
    by 0x5495DF: process_watch (dbus_common.c:73)
    by 0x5495DF: process_watch_read (dbus_common.c:89)
    by 0x41EE8E: eloop_sock_table_dispatch.part.0 (eloop.c:603)
    by 0x41FA46: eloop_sock_table_dispatch (eloop.c:597)
    by 0x41FA46: eloop_run (eloop.c:1233)
    by 0x56A3CE: wpa_supplicant_run (wpa_supplicant.c:8074)
    by 0x40DB06: main (main.c:393)

Fix this ensuring that query and resp are freed both in the error and
non-error path of wpas_dbus_handler_p2p_add_service(). Also, add a test
in test_dbus.py to verify the correct behavior.

Signed-off-by: Davide Caratti <davide.caratti@gmail.com>
2024-07-20 20:28:40 +03:00
David Ruth
70e5bad563 dbus: Fix SignalChange property
SignalChange should be defined as a property of an interface.
Previously, it was incorrectly defined as a property of P2P peers.

Fixes: 7a7ce95746 ("dbus: Emit more information over D-Bus")
Signed-off-by: David Ruth <druth@chromium.org>
2024-07-20 20:20:38 +03:00
Sunil Ravi
ed5887a8c9 Move NULL check for driver private data (drv_priv)
In the hostapd_cleanup_driver() function, the NULL check for the driver
private data (drv_priv) is located within the CONFIG_IEEE80211BE feature
flag. As a result, on platforms where CONFIG_IEEE80211BE is not defined,
driver->hapd_deinit(drv_priv) is called with drv_priv set to NULL. This
leads to a null pointer exception in wpa_driver_nl80211_deinit().

To address this issue, move the NULL check for drv_priv outside the
CONFIG_IEEE80211BE build flag. This ensures that the check is performed
regardless of the value of CONFIG_IEEE80211BE, preventing the NULL
pointer exception.

Fixes: df34c2ced3 ("AP MLD: De-initialize/disable link BSS properly")
Signed-off-by: Sunil Ravi <sunilravi@google.com>
2024-07-20 20:14:08 +03:00
Veerendranath Jakkam
c3d305d939 FT: Fix FTE MIC calculation with fragmented FTE
Currently wpa_ft_parse_ies() is setting FTE information to wpa_buf
pointer data which is generated after defragmentation. This data will
not contain FTE and Fragment element(s) headers.

IEEE P802.11be/D5.0 describes the MIC to be calculated on the
concatenation of FTE and corresponding Fragment element(s) which
implies the element headers are included for each element in the
fragmented case.

Fix this by correctly populating FTE information when FTE is
fragmented.

Fixes: 43b5f11d9 ("Defragmentation of FTE")
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2024-07-15 10:51:44 -04:00
Michael-CY Lee
e7172e26d3 MLD STA: Find partner links by BSSID and SSID
Non-AP MLD finds AP MLD's partner links by BSSID from the scan results.
However, if the scan results contain BSSs with the same BSSID but
different BSS information, the non-AP MLD might assign a wrong BSS to
one of the AP MLD's partner links.

Avoids the problem by using both BSSID and SSID to find the AP MLD's
partner links.

Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com>
2024-07-13 18:09:32 +03:00