Commit graph

18624 commits

Author SHA1 Message Date
Jouni Malinen
8e6485a1bc PEAP client: Update Phase 2 authentication requirements
The previous PEAP client behavior allowed the server to skip Phase 2
authentication with the expectation that the server was authenticated
during Phase 1 through TLS server certificate validation. Various PEAP
specifications are not exactly clear on what the behavior on this front
is supposed to be and as such, this ended up being more flexible than
the TTLS/FAST/TEAP cases. However, this is not really ideal when
unfortunately common misconfiguration of PEAP is used in deployed
devices where the server trust root (ca_cert) is not configured or the
user has an easy option for allowing this validation step to be skipped.

Change the default PEAP client behavior to be to require Phase 2
authentication to be successfully completed for cases where TLS session
resumption is not used and the client certificate has not been
configured. Those two exceptions are the main cases where a deployed
authentication server might skip Phase 2 and as such, where a more
strict default behavior could result in undesired interoperability
issues. Requiring Phase 2 authentication will end up disabling TLS
session resumption automatically to avoid interoperability issues.

Allow Phase 2 authentication behavior to be configured with a new phase1
configuration parameter option:
'phase2_auth' option can be used to control Phase 2 (i.e., within TLS
tunnel) behavior for PEAP:
 * 0 = do not require Phase 2 authentication
 * 1 = require Phase 2 authentication when client certificate
   (private_key/client_cert) is no used and TLS session resumption was
   not used (default)
 * 2 = require Phase 2 authentication in all cases

Signed-off-by: Jouni Malinen <j@w1.fi>
2023-07-17 21:09:26 +03:00
Jouni Malinen
599d00be9d wlantest: Support HT Control field in Robust Management frames
Check the +HTC bit in FC to determine if the HT Control field is present
when decrypting Robust Management frames. This was already done for QoS
Data frames, but the Management frame case had not been extended to
cover this option.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-22 22:44:51 +03:00
Veerendranath Jakkam
30f5bdc34c Add support to configure per-MLO link maximum supported channel width
Update documentation of the QCA_WLAN_VENDOR_ATTR_CONFIG_CHANNEL_WIDTH
and QCA_WLAN_VENDOR_ATTR_CONFIG_CHAN_WIDTH_UPDATE_TYPE attributes to
indicate support for per-MLO link configuration.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-06-22 22:32:42 +03:00
Veerendranath Jakkam
3d1ec9d0af Add QCA vendor interface to support per-MLO link configurations
Add support for per-MLO link configurations in
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION and
QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_CONFIGURATION commands.

Additionally, add documentation for
QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION and
QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_CONFIGURATION commands.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-06-22 22:32:33 +03:00
Vamsi Krishna
f83cc05aa4 Reserve QCA vendor sub command id 232
This is reserved for QCA use.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-22 22:00:34 +03:00
Kiran Kumar Lokere
82db29c37e QCA vendor test config attribute for MLO link powersave
Define a new QCA vendor test config attribute to configure powersave
on MLO links.

This attribute is used for testing purposes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-22 21:58:36 +03:00
Paul Zhang
f37a7dec3d Add vendor attributes for EPCS feature
Add vendor attribute QCA_WLAN_VENDOR_ATTR_CONFIG_EPCS_CAPABILITY
to set EPCS (Emergency Preparedness Communications Service)
feature capability.

Add vendor attribute QCA_WLAN_VENDOR_ATTR_CONFIG_EPCS_FUNCTION
to enable/disable EPCS priority access.

These are for testing purposes.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-22 21:55:08 +03:00
Ainy Kumari
a8c66bbb7a QCA vendor interface to control maximum allowed bandwidth update type
Add support to control maximum allowed bandwidth update type for
the current connection.

Signed-off-by: Ainy Kumari <quic_ainykuma@quicinc.com>
2023-06-22 21:38:03 +03:00
Aleti Nageshwar Reddy
19e880d1f8 Add support to get the TDLS wider bandwidth capability
Extend bitwise mask in enum qca_wlan_tdls_caps_features_supported to get
the TDLS wider bandwidth capability from the driver.

Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
2023-06-22 21:31:33 +03:00
Aleti Nageshwar Reddy
a8a112d4d1 Add documentation and nested attribute enums for existing QCA TDLS commands
Add missing documentation and nested attribute enums for the existing
QCA TDLS vendor commands.

Signed-off-by: Aleti Nageshwar Reddy <quic_anageshw@quicinc.com>
2023-06-22 21:29:07 +03:00
Nirav Shah
91783b21be Define a QCA vendor attribute to configure UL MU transmission
Define a new QCA vendor attribute to enable/suspend trigger
based UL MU transmission.

Signed-off-by: Prasanna JS <quic_pjs@quicinc.com>
2023-06-22 21:15:43 +03:00
Chenming Huang
05a2f4c4f8 EHT: Process puncturing bitmap from channel select driver event for ACS
Retrieve the puncturing bitmap sent by the driver in channel select
events for ACS when using the QCA vendor specific event.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-22 17:49:10 +03:00
Veerendranath Jakkam
9b233e9f0a nl80211: Always return NL_SKIP from survey dump handler
Previously, NL_STOP was returned from the survey dump handler if the
maximum number of frequencies was reached for storing survey
information, but this is causing wpa_supplicant context getting stuck if
the current SKB returned by the kernel itself ends with NLMSG_DONE type
message. This is due to libnl immediately stopping processing the
current SKB upon receiving NL_STOP and not being able to process
NLMSG_DONE type message, and due to this wpa_supplicant's
finish_handler() not getting called. Fix this by returning NL_SKIP
instead while still ignoring all possible additional frequencies.

Signed-off-by: Veerendranath Jakkam <quic_vjakkam@quicinc.com>
2023-06-22 17:28:38 +03:00
Xinyue Ling
3a995cb5a9 Determine current hw mode before channel switch
There are two hw modes (5 GHz and 6 GHz) with HOSTAPD_MODE_IEEE80211A
and the current hw mode may be wrong after one channel switch to 6 GHz.
This will cause hostapd_set_freq_params() to return -1 when saving
previous state and the second channel switch to fail. Fix this by adding
hostapd_determine_mode() before every channel switch.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-22 17:20:44 +03:00
Shivani Baranwal
a786c9b4a0 Enhance QCA_WLAN_VENDOR_ATTR_CONFIG_EHT_MLO_MAX_NUM_LINKS
Use zero value with QCA_WLAN_VENDOR_ATTR_CONFIG_EHT_MLO_MAX_NUM_LINKS to
restore the device default maximum number of allowed MLO links
capability.

Also, as per IEEE 802.11be/D3.0, the maximum number of allowed links for
an MLO connection is 15. Update the documentation of the attribute to
indicate the same.

Signed-off-by: Shivani Baranwal <quic_shivbara@quicinc.com>
2023-06-20 23:58:17 +03:00
Jouni Malinen
aa4b8492e4 AP MLD: Provide Link ID when requesting current seqnum for a group key
This is needed to match the key configuration design with a single
netdev and the nl80211 driver interface.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-15 17:43:17 +03:00
Jouni Malinen
19b6a1513f tests: Additional EHT MLD AP coverage
Verify behavior in SAE/PSK transition mode and PTK rekeying.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-15 17:34:02 +03:00
Andrei Otcheretianski
f5592e2d5e tests: Add basic MLD hwsim tests
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-15 17:34:02 +03:00
Andrei Otcheretianski
5199cff4c7 AP/MLO: Forward received EAPOL frames to correct BSS
In case of MLO AP and legacy client, make sure received EAPOL frames are
processed on the correct BSS.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-15 17:34:02 +03:00
Andrei Otcheretianski
5c6cad01fd AP/MLO: Forward Management frame TX status to correct BSS
In case of MLO AP and legacy client, make sure Management frame TX
status is processed on the correct BSS.

Since there's only one instance of i802_bss for all BSSs in an AP MLD in
the nl80211 driver interface, the link ID is needed to forward the
status to the correct BSS. Store the link ID when transmitting
Managements frames and report it in TX status.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-15 17:34:02 +03:00
Andrei Otcheretianski
996759ccf7 AP/MLO: Forward EAPOL TX status to correct BSS
In case of MLO AP and legacy client, make sure EAPOL TX status is
processed on the correct BSS.

Since there's only one instance of i802_bss for all BSSs in an AP MLD in
the nl80211 driver interface, the link ID is needed to forward the EAPOL
TX status to the correct BSS. Store the link ID when transmitting EAPOL
frames over control interface and report it in TX status.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-15 17:34:02 +03:00
Andrei Otcheretianski
8b56536693 AP: Use MLD address for traffic tests
In case of MLD use the MLD address.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-15 17:34:02 +03:00
Andrei Otcheretianski
6046aef734 AP: Don't process SAE/OWE association info on MLD links
Only the main link handles SAE authentication and OWE, skip them on
other links.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-15 17:34:02 +03:00
Andrei Otcheretianski
90d819c242 AP: Use MLD address for SAE commit derivation
MLO associations use the MLD address instead of the MAC address in SAE
derivation.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-15 17:34:02 +03:00
Ilan Peer
8b49853f49 AP: Specify the link ID for set_key() callback for group keys
If the AP is part of an AP MLD specify the link ID in the set_key
parameters whenever setting a group key.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-15 17:34:02 +03:00
Ilan Peer
8a8752876a MLO: Get the correct AA and SPA based on MLD operation for RSN authenticator
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-06-15 17:34:02 +03:00
Ilan Peer
d5e93c8043 MLO: Add MLO KDEs to EAPOL-Key msg 1/2 of the group handshake
This provides the link specific group keys and last used PN/IPN/BIPN
values to the Supplicant in the MLO KDEs instead of the KDEs used for
non-MLO cases.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-06-15 17:34:02 +03:00
Ilan Peer
79212e93f7 MLO: Validate MLO KDEs in EAPOL-Key msg 4/4
Verify that the MLD address in EAPOL-Key msg 4/4 is set correctly for
MLO cases. Note that the mechanism used here for distinguishing between
EAPOL-Key msg 2/4 and 4/4 is not exactly ideal and should be improved in
the future.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-15 17:32:31 +03:00
Andrei Otcheretianski
856d99410f MLO: Add MLO KDEs to EAPOL-Key msg 3/4
This provides the link specific group keys and last used PN/IPN/BIPN
values to the Supplicant in the MLO KDEs instead of the KDEs used for
non-MLO cases.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-14 11:35:04 +03:00
Andrei Otcheretianski
137b855092 MLO: Mechanism for fetching group key information for the links
Allow RSN authenticator to fetch the current group key information with
the keys and the last used PN/IPN/BIPN for MLO specific KDEs.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-14 11:34:58 +03:00
Ilan Peer
eb28ee20e7 MLO: Validate MLO Link KDEs in EAPOL-Key msg 2/4
Verify that the affiliated link information matches between association
(unprotected) and 4-way handshake (protected).

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-14 11:34:54 +03:00
Ilan Peer
151ac359dd MLO: Add MAC Address KDE to EAPOL-Key msg 1/4 for MLO association
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-14 11:34:12 +03:00
Andrei Otcheretianski
3102d7676b MLO: Store MLO link information in RSN Authentication
Make the MLO related information available for the RSN Authenticator
state machine to be able to perform steps needed on an AP MLD. The
actual use of this information will be in the following commits.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-14 11:34:07 +03:00
Andrei Otcheretianski
cb130bbcb9 AP: MLO: Forward link specific events to the identified link
Process Management and EAPOL frames on the correct link.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 23:19:14 +03:00
Andrei Otcheretianski
3613c8a96f nl80211: Use frequency to determine MLD link for MLME events
This is needed since link_id is not always available. In addition,
recognize the link address as a known address.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 23:13:21 +03:00
Ilan Peer
d3e20b2113 AP/driver: Add link id to the set_tx_queue_params() callback
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-06-12 16:34:08 +03:00
Ilan Peer
fbbca2bf16 AP: Provide the link ID for an MLD setting when setting VLAN
This is a required modification to the driver interface and driver
nl80211.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-06-12 16:31:00 +03:00
Andrei Otcheretianski
172b0a9a2b AP/driver: Add link ID to send EAPOL callbacks
EAPOL frames may need to be transmitted from the link address and not
MLD address. For example, in case of authentication between AP MLD and
legacy STA. Add link_id parameter to EAPOL send APIs.

Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 16:26:56 +03:00
Andrei Otcheretianski
c5271faf55 AP: Print MLD info in STATUS command
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 16:26:56 +03:00
Ilan Peer
d75ebe23d8 AP: Handle Management frame TX status for AP MLD address
This allows proper TX status handling when MLD addressing is used for
Management frames. Note, that the statuses are still not forwarded to
the correct link BSS. This will be handled in later commits.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-06-12 16:26:56 +03:00
Ilan Peer
7a9ae9f43e AP: Do not prune station when adding a link station
As otherwise the original station would be pruned.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
2023-06-12 16:26:56 +03:00
Ilan Peer
5a61644fff driver: Specify link ID for 'send_mlme' and 'sta_deauth' callbacks
This is needed for the driver to know on which link it should transmit
the frames in MLO cases.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 16:26:49 +03:00
Jouni Malinen
64d9ba3e6e Use a shared function for setting port authorization changes
Get rid of the duplicated code for setting IEEE 802.1X port
authorization for MLD and non-MLD cases.

Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
2023-06-12 15:42:52 +03:00
Ilan Peer
edacd72d95 AP: MLO: Handle IEEE 802.1X port authorization
Handle IEEE 802.1X port authorization in the context of MLO.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 15:36:54 +03:00
Ilan Peer
5650205342 AP: MLO: Handle deauthentication/disassociation of MLD station
When a non-AP MLD is deauthenticated/disassociated from an MLD AP, make
sure to clean up its state from all links.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 13:58:06 +03:00
Ilan Peer
ced69780c1 AP: Cleanup coding style for deauth/disassoc handling
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 13:51:01 +03:00
Ilan Peer
62fcfe8d28 AP: Move deauthentication/disassociation steps into helper functions
This is a step towards handling of deauthentication/disassociation from
an MLD AP.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 13:45:41 +03:00
Ilan Peer
55038680a6 AP: MLO: Handle association callback
Handle association request callback in the context of MLO.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-12 13:12:15 +03:00
Andrei Otcheretianski
408b2a5625 AP: MLO: Add Multi-Link element to (Re)Association Response frame
Add the full station profile to the Multi-Link element in the
(Re)Association Response frame. In addition, use the AP MLD's MLD MAC
address as SA/BSSID once the non-AP MLD has been added to the driver to
use address translation in the driver.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-08 23:45:15 +03:00
Andrei Otcheretianski
5f5db9366c AP: MLO: Process Multi-Link element from (Re)Association Request frame
Implement processing of the Multi-Link element in the (Re)Association
Request frame, including processing of the Per-STA Profile subelement.

After handling the basic parsing of the element and extracting the
information about the requested links, handle the link specific
processing for each link:

- Find the interface with the corresponding link ID.
- Process the station profile in the interface.
- Prepare the Per-STA Profile subelement to be included in the
  Multi-Link element in the (Re)Association Response frame.

Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
2023-06-08 20:31:20 +03:00