Always check the Message-Authenticator attribute in a received RADIUS
message if it is present. Previously, this would have been skipped if
the attribute was not required to be present.
Signed-off-by: Jouni Malinen <j@w1.fi>
hostapd required Message-Authenticator attribute to be included in EAP
authentication cases, but that requirement was not in place for MAC ACL
cases. Start requiring Message-Authenticator attribute for MAC ACL by
default. Unlike the EAP case, this can still be disabled with
radius_require_message_authenticator=1 to maintain compatibility with
some RADIUS servers when used in a network where the connection to such
a server is secure.
Signed-off-by: Jouni Malinen <j@w1.fi>
Do not allow the exception for missing Message-Authenticator in
Access-Reject without EAP-Message. While such exception is allowed in
RADIUS definition, there is no strong reason to maintain this since
Access-Reject is supposed to include EAP-Message and even if it doesn't,
discarding Access-Reject will result in the connection not completing.
Signed-off-by: Jouni Malinen <j@w1.fi>
Even if this might not be strictly speaking necessary for mitigating
certain RADIUS protocol attacks, be consistent with the RADIUS server
behavior and move the Message-Authenticator attribute to be the first
attribute in the RADIUS DAS responses from hostapd.
Signed-off-by: Jouni Malinen <j@w1.fi>
Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client in hostapd.
Signed-off-by: Jouni Malinen <j@w1.fi>
Even if this is not strictly speaking necessary for mitigating certain
RADIUS protocol attacks, be consistent with the RADIUS server behavior
and move the Message-Authenticator attribute to be the first attribute
in the message from RADIUS client.
Signed-off-by: Jouni Malinen <j@w1.fi>
Move the Message-Authenticator attribute to be the first attribute in
the RADIUS messages. This mitigates certain MD5 attacks against
RADIUS/UDP.
Signed-off-by: Jouni Malinen <j@w1.fi>
If a Message-Authenticator attribute was already added to a RADIUS
message, use that attribute instead of adding a new one when finishing
message building. This allows the Message-Authenticator attribute to be
placed as the first attribute in the message.
Signed-off-by: Jouni Malinen <j@w1.fi>
The rejected groups list is valid only during each individual SAE
authentication instance and it should not be maintained between separate
instances. In particular, it should not be maintained when roaming to
another AP since the APs might use different configuration for the
allowed SAE groups.
Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant used to maintain the list of rejected groups for SAE over
multiple failed attempts. This could have some DoS issues, so clear this
list if SAE authentication attempts fails continuously.
Signed-off-by: Jouni Malinen <j@w1.fi>
When parsing a SAE Commit message, the temporary peer_rejected_groups
parameter was left to its old value in cases where the new SAE Commit
message did not include the Rejected Groups element. This could result
in unexpected behavior if a previously processed SAE Commit message
included a Rejected Groups element that claimed one of the enabled
groups to be rejected.
Explicitly clear the peer_rejected_groups value when parsing an SAE
Commit message without a Rejected Groups element to avoid rejecting the
new message based on some previously received incorrect information.
This avoids some potential denial-of-service issues during the lifetime
of the SAE temporary data.
Signed-off-by: Jouni Malinen <j@w1.fi>
Instead of practically ignoring an odd octet at the end of the element,
check for such invalid case explicitly. This is needed to avoid a
potential group downgrade attack.
Signed-off-by: Jouni Malinen <j@w1.fi>
Add a vendor attribute to configure a STA to follow AP advertised
preference values to select roam candidates with BTM.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Use the existing QCA_WLAN_VENDOR_ATTR_TWT_SETUP_RESPONDER_PM_MODE
attribute for TWT setup request to configure the Responder PM Mode bit
in the control field of the TWT element or broadcast TWT schedule.
Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
Add a flag attribute
QCA_WLAN_VENDOR_ATTR_TWT_SET_PARAM_UNAVAILABILITY_MODE into enum
qca_wlan_vendor_attr_twt_set_param to configure the TWT responder
unavailability outside of the SPs of its broadcast TWT schedule.
Signed-off-by: Purushottam Kushwaha <quic_pkushwah@quicinc.com>
Authentication rejection was found when doing fuzz testing even with a
valid SAE commit message when it was sent after a SAE commit message
that included an incorrect password identifier. The test steps for this
are as below:
1. Peer sends an abnormal commit message with incorrect password
identifier
2. APUT rejects as expected
3. Peer sends a valid commit message
4. APUT rejects again, which is not expected
In step 2, as the abnormal data fakes an empty password identifier
element, it passes sae_is_password_id_elem() checking. Memory is then
allocated for sae->tmp->pw_id. The authentication process then fails
due to no available password with this invalid password identifier.
In step 4, though the peer sends a valid commit message, APUT rejects
this SAE commit again due to no password identifier element (due to that
sae->tmp->pw_id being set), which is not expected.
Free the sae->tmp->pw_id field and set it to NULL when SAE commit
message processing fails due to an unknown password identifier so that
the bogus value is not used as a requirement for any consecutive SAE
commit from the same STA before the STA entry gets cleared.
Signed-off-by: Chenming Huang <quic_chenhuan@quicinc.com>
The Link Id attribute is required for secure ranging context to identify
the link on which the command is received for an MLD.
Signed-off-by: Nidhi Jain <quic_nidhjain@quicinc.com>
The Link Id attribute is required for QCA_NL80211_VENDOR_SUBCMD_PASN to
identify the link on which the command is received for an MLD.
Signed-off-by: Nidhi Jain <quic_nidhjain@quicinc.com>
The Link Id attribute is required for external ACS context to identify
the link on which the command is received for an AP MLD.
Signed-off-by: Diya Sati <quic_dsati@quicinc.com>
Add support for SSID protection in 4-way handshake based on the
mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against
CVE-2023-52424 (a.k.a. the SSID Confusion Attack).
This functionality is disabled by default and can be enabled with
ssid_protection=1. Once there has been more testing of this to confirm
there is no significant interoperability issues, the goal is to be able
to change this to be enabled by default.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add support for SSID protection in 4-way handshake based on the
mechanism added in IEEE 802.11REVme/D6.0. This is a mitigation against
CVE-2023-52424 (a.k.a. the SSID Confusion Attack).
This functionality is disabled by default and can be enabled with
ssid_protection=1 in the network profile. Once there has been more
testing of this to confirm there is no significant interoperability
issues, the goal is to be able to change this to be enabled by default.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
wpa_supplicant might use a wrong BSS entry with the SSID different from
the current SSID of the current BSS while processing a roam event from
the driver when wpa_supplicant has a stale BSS entry with the old SSID
and the driver roams to the same BSS after it is restarted with a new
SSID.
To avoid this, update scan results from the driver when a BSS entry is
not found with the current SSID and try to fetch the BSS entry again
with the current SSID after this.
Also, with this change wpa_supplicant_get_new_bss() itself will update
the BSS table and search for the current BSS entry if it is not found in
the BSS table. So, remove the BSS table update and search logic from the
callers of wpa_supplicant_get_new_bss().
Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
Add the eht_mlo_color_change test case to perform color change on the
first link of an AP MLD. Performing on non-first link will be done
later.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Add the he_bss_color_change test case which brings up an HE AP and
performs color change operations and validates the result.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Send the link ID in the nl80211 command to switch color if the AP is
affiliated with an AP MLD.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Once CCA is finished, Beacon frames need to be updated. The BCCA element
needs to be removed and the new color value shall be advertised in the
BSS Color Information field of the HE Operation element.
Update the Beacon frames accordingly.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Add hostapd_cli command "color_change <color>" to change BSS color at
run time. hostapd_cli status can be used to check the updated color.
Usage: hostapd_cli -i <interface> color_change <color>
If 0 value is given, HE BSS color would be disabled. Same or a non-zero
value between [1-63] can be given to enable color again.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Currently, if ACS scan request fails, states are cleared and returned.
However, in case of MLO, there is a possibilty of getting return value
of -EBUSY. In this case, ACS can retry the scan request after some time
similary to the HT40 scan.
Hence, retry the scan after 5 seconds if -EBUSY is returned. Maximum of
15 re-attempts are made before giving up.
Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
Co-developed-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Currently, RADIUS client, auth server, and 802.1X are copied from the
first link's BSS into the non-first link during its setup. However,
there could be a case where the first link is not initialized fully
because of ACS/HT40 SCAN/DFS. Hence, in such cases, NULL is getting
copied and later it leads to segmentation fault.
Initialize those on behalf of the first link in such case and update it
so that the next time other non-first link can use it.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Parse the Multiple BSSID element in Beacon frames and create and update
all the nontransmitted BSSs.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Userspace tools can use QCA_WLAN_VENDOR_ATTR_CONFIG_IF_OFFLOAD_TYPE to
configure the different below acceleration features (hardware, software)
on a per interface basis.
0 - No acceleration Packets are processed through the Linux kernel
networking stack.
1 - Software based acceleration: Packets are processed through the
shortcut forwarding engine (SFE) to bypass the Linux networking stack
for improved throughput performance. This option is applicable for AP,
STA, and Mesh mode and available for all radio designs. From the
performance aspect, this option consumes more CPU compared to the other
two options. Linux traffic control can be further applied with this
option to have more control on the traffic flows.
2 - Hybrid acceleration (software and hardware acceleration combined):
Packets are processed through both hardware and software in this case.
Packet classification is done by the hardware and then the packets are
delivered to software along with classification results as meta data.
Software can choose to do more classification/QoS based on use cases.
This is applicable for AP, STA, and Mesh modes and is available for all
radio designs. From the performance aspect, this option consumes
relatively less CPU compared to the SFE option above. Linux traffic
control rules cannot be applied with this option.
3 - Hardware based acceleration : Packets are processed through special
hardware (Direct Switch) rings which can directly forward the packets
between ethernet hardware and Wi-Fi hardware with very less software
involvement. This is applicable only for AP and STA modes; not
applicable for Mesh mode. From the performance aspect, this option
consumes very much less CPU compared to the other options. Linux traffic
control rules cannot be applied when this option is used. This option is
applicable only for specific radio designs. When this option is not
available, the default option (SFE) would be configured.
Signed-off-by: Balamurugan Mahalingam <quic_bmahalin@quicinc.com>
Add following vendor attributes to dynamically configure parameters to
detect data stall for consecutive TX no ack.
- QCA_WLAN_VENDOR_ATTR_CONFIG_CONSECUTIVE_TX_NO_ACK_DURATION
- QCA_WLAN_VENDOR_ATTR_CONFIG_CONSECUTIVE_TX_NO_ACK_THRESHOLD
Signed-off-by: Jianmin Zhu <quic_jianminz@quicinc.com>
Add a new hostapd configuration parameter max_acceptable_idle_period to
allow the AP to accept per-STA requested BSS max idle periods.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add a new wpa_supplicant network profile parameter max_idle that can be
used to specify a specific maximum idle period in units of 1000 TUs
(1.024 s) for associations.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow hostapd to be configured to not disconnect a STA if the STA fails
to reply to a group key handshake when BSS max idle period management is
used. This might be needed for some STAs that use aggressive power
saving (e.g., battery powered IoT devices).
This is disabled by default since this can delayed group rekeying
slightly and also to maintain the previous behavior. The more relaxed
operation can be enabled with the new configuration parameter
no_disconnect_on_group_keyerror=1.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Allow AP's behavior for BSS Max Idle Period management to be configured.
Previously, this was automatically enabled for all CONFIG_WNM_AP=y
builds. This can now be changed with the new hostapd configuration
parameter bss_max_idle:
0 = BSS Max Idle Period management disabled
1 = BSS Max Idle Period management enabled
(default and the previous behavior)
2 = BSS Max Idle Period management enabled with requirement for
protected keep-alive frames
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add attributes to QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION
vendor command to configure asymmetric TX/RX NSS and chains per band.
Also document driver's response when existing attributes to configure
TX/RX NSS and chains for all the bands 2.4 GHz and 5/6 GHz are used in
the same command.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Add kernel documentation to the attributes used in the vendor command
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION to configure the NSS
and chains values used for transmitting and receiving the data.
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>