nl80211: Ignore global regulatory change for self managed drivers
For drivers with self managed regulatory support enabled, private
regdomain is the only valid domain. Hence, ignore the global regulatory
domain change event (NL80211_CMD_REG_CHANGE) if the driver is enabled
with self managed regulatory domain, as the regulatory domain for those
drivers will be updated via NL80211_CMD_WIPHY_REG_CHANGE.
Jouni Malinen [Thu, 9 Oct 2025 22:08:24 +0000 (01:08 +0300)]
Debug print op_class changes from setting new frequency
Since the recent addition of update op_class here in commit 3bc01a901803
("Update conf->op_class in hostapd_change_config_freq()") has needed at
least two fixes, it is good to get clear debug prints from it to be able
to figure out any potential remaining issues more easily.
Jouni Malinen [Thu, 9 Oct 2025 22:06:56 +0000 (01:06 +0300)]
DFS: Update operating class on channel changes in the fallback case
Some of the DFS channel change operations seemed to fail when moving to
new channel based on radar detection without updating the op_class
configuration to match the new channel. Address these by updating
op_class in addition to the channel number in this additional fallback
case.
Fixes: 3bc01a901803 ("Update conf->op_class in hostapd_change_config_freq()") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Jouni Malinen [Thu, 9 Oct 2025 21:41:23 +0000 (00:41 +0300)]
PASN: Fix buffer tailroom validation in wpa_pasn_add_wrapped_data()
While the initial tailroom checks covers the unfragmented case
accurately, the length of the fragment header was not counted correctly
for the case where the Wrapped Data element needs to be fragmented. This
could theoretically result in missing a case where the target buffer is
a bit shorter than all the needed fragments and the following
wpabuf_put*() operation could resulted in terminating the process due to
the additional check to prevent buffer overflows.
The existing use cases for this function within wpa_supplicant do not
seem to generate buffers that would be even close to reaching this limit
due to large buffer size used for the target. Anyway, this check needs
to be fixed to avoid any potential issues in the future or in external
uses for this function.
Jouni Malinen [Thu, 9 Oct 2025 21:29:58 +0000 (00:29 +0300)]
PASN: Fix buffer tailroom validation in wpa_pasn_add_extra_ies()
The length of the additional elements was not used correctly, so the
check for remaining tailroom would not have caught cases where there is
not enough remaining room in the buffer and the following
wpabuf_put_data() operation would have resulted in terminating the
process due to the additional check to prevent buffer overflows.
The existing use cases for this function within wpa_supplicant do not
seem to generate buffers that would be even close to reaching this limit
due to large buffer size used for the target. Anyway, this check needs
to be fixed to avoid any potential issues in the future or in external
uses for this function.
Fixes: b1ed44b6a699 ("PASN: Allow extra elements to be added into PASN Authentication frames") Signed-off-by: Jouni Malinen <jouni.malinen@oss.qualcomm.com>
Jouni Malinen [Thu, 9 Oct 2025 14:12:09 +0000 (17:12 +0300)]
WPS ER: Clear HTTP socket on NOTIFY processing errors
Since we process only a single request from the socket, there is no need
to maintain the HTTP socket when we detect an error. That will just
delay closing of the socket until WPS ER is stopped. Instead, close the
socket immediately on detecting the error to match the behavior for
unsupported HTTP request types and any cases where we send a response.
Jouni Malinen [Thu, 9 Oct 2025 10:03:39 +0000 (13:03 +0300)]
Reduce debug logging of configuration file details in wpa_supplicant
Avoid printing some of the details about parsing failures and invalid
data read from a configuration file when parsing it for normal
wpa_supplicant operation. This helps in reducing risk for leaking
information about files that the wpa_supplicant process itself might be
able to read, but the process requesting a new interface to be added
(e.g., though a control interface operation) might not have privileges
to read.
This does not remove all the prints in all cases, but reduces debug
prints significantly for cases where the specified configuration file is
does not use the same syntax as a valid wpa_supplicant configuration
file would.
The previously available level of detailed parsing information is
available for debugging purposes by running wpa_supplicant separately
for this without requesting any actual operation to be started. This can
be done, e.g., with the following command:
wpa_supplicant -c /tmp/test.conf -d
In addition to the debug information printed to stdout, the return code
from the process indicates whether the full configuration file was
parsed successfully.
It is also possible to explicitly request the parsing details to be
included in the debug log from normal operation by adding -y to the
command line. This is meant only for systems here the debug log is not
exposed to users that do not have access to the same set of files as the
wpa_supplicant process has.
MBSSID: Use probed hostapd context during probe response generation
While filling MBSSID elements during Probe Response frame generation,
the TX BSS context is passed to hostapd_eid_mbssid() and
hostapd_eid_mbssid_len(), but for a Probe Request frame directed to a
non-TX BSS, these functions need probed hostapd context as well.
Hence, make changes to pass the probed hostapd context while generating
Probe Response frames.
MBSSID: Send probe response only from transmitting BSS for MBSSID
In MBSSID enabled case, when a Probe Request frame with A3=wildcard
BSSID is received and the SSID matches that of a non-TX BSS, the Probe
Response frmae is queued to the driver with non-TX BSS context. But,
mgmt->sa will be set to the TX BSS as it should be used to build the
Probe Response frame. This leads to TX failure as kernel checks the
management address with that of the BSS address, in this case it is the
non-TX BSS address.
Fix this issue by using the TX BSS for queuing the Probe Response frame
to the driver.
Jouni Malinen [Wed, 8 Oct 2025 16:38:31 +0000 (19:38 +0300)]
DFS: Update operating class on channel changes
Some of the DFS channel change operations seemed to fail when moving to
a new channel based on radar detection without updating the op_class
configuration to match the new channel. Address these by updating
op_class in addition to the channel number.
Update conf->op_class in hostapd_change_config_freq()
Some cases of channel switching, e.g., when changing from a 320 MHz
channel to a 80 MHz channel in the 6 GHz band, has been observed to
cause disconnections due to non-AP MLDs getting confused with inaccurate
information.
On the AP side, the new target channel's ccfs0 and ccfs1 have incorrect
values in the EHT Operating Information element. This is because,
in hostapd_eid_eht_operation(), the ch_width is calculated based on
conf->op_class and during the channel switch, hostapd_change_config_freq()
does not assign the target channel's op_class to conf->op_class during
the construction of the Beacon frame template.
Fix this issue by assigning conf->op_class in
hostapd_change_config_freq().
Also, change the datatype of channel in hostapd_change_config_freq()
from int to u8, as IEEE 802.11 channel numbers are represented with 8
bits, and can only be between 1 to 255.
When wpa_auth was reconfigured, its configuration was regenerated and
applied directly. This can result in the state machine being initialized
with parameters that exceed the driver’s supported capabilities.
Consequently, some kernel requests might get rejected, causing the state
machine to enter a failure state—preventing any client from connecting
post-reconfiguration.
However, during a normal bring-up sequence, the generated configuration
is first updated based on the interface’s capabilities. This ensures
that the initial setup of the wpa_auth state machine remains within
supported limits and succeeds.
Hence fix this issue by moving the configuration updating part to a
helper function and call it during initial as well as during
reconfiguration time.
PASN: Extend PASN support for SAE-EXT-KEY in Responder mode
The previous PASN implementation had checks only for SAE as the base
AKMP. Update PASN logic to treat SAE-EXT-KEY as a valid base AKM
alongside SAE in Responder cases, enabling PASN operations with the
extended SAE key management suite. This aligns with IEEE Std 802.11-2024
updates to PASN with SAE.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com> Signed-off-by: Rohan Dutta <drohan@qti.qualcomm.com>
Ainy Kumari [Fri, 3 Oct 2025 06:28:36 +0000 (11:58 +0530)]
PASN: SAE-EXT-KEY AKM support for PASN Authentication in Initiator mode
Add support for WPA_KEY_MGMT_SAE_EXT_KEY in PASN authentication in
initiator mode. Update PASN logic to treat SAE-EXT-KEY as a valid base
AKM alongside SAE, enabling PASN operations with the extended SAE key
management suite. This aligns with IEEE Std 802.11-2024 updates to PASN
with SAE.
Define a new vendor subcommand QCA_NL80211_VENDOR_SUBCMD_GET_COEX_STATS
to retrieve Wi-Fi and Bluetooth coexistence statistics from the driver.
This subcommand allows userspace applications to query information about
the current Bluetooth Coexistence (BTC) mode and policy settings. The
implementation provides the following information:
- PDEV ID
- Current BTC mode
- Current BTC policy
This subcommand helps diagnose interference issues between Wi-Fi and
Bluetooth, monitor coexistence mechanisms, and optimize performance when
both radios are operating simultaneously.
David Benjamin [Mon, 6 Oct 2025 15:18:39 +0000 (11:18 -0400)]
crypto: Remove some unreachable algorithms
The tls_ciphers table contained a number of algorithms that weren't
referenced in tls_cipher_suites. Remove those. That includes
TLS_CIPHER_IDEA_CBC, which was probably always broken because it was
mapped to CRYPTO_CIPHER_NULL. It also removes RC2, which is an
export-only cipher, despite the file saying it doesn't bother with
exportable ciphers.
That, in turn, removes all references to CRYPTO_CIPHER_ALG_RC2, so
remove that too. The OpenSSL port of CRYPTO_CIPHER_ALG_RC2 probably
never worked anyway because it uses RC2 in ECB mode instead of CBC.
It's likely other removals are possible. tlsv1_common.c has single-DES
ciphers, but tlsv1_client.c and tlsv1_server.c only configure a much
smaller list. There's also a lot of code for TLS_KEY_X_DH_anon, but
those ciphers aren't configured. I've left those alone because I'm not
sure how all this code is used.
Signed-off-by: David Benjamin <davidben@google.com>
Rathan Appana [Thu, 2 Oct 2025 17:01:25 +0000 (19:01 +0200)]
OpenSSL: Enforce leaf cert expiry check with server cert pinning
When wpa_supplicant is configured to use EAP authentication with
ca_cert="hash://server/sha256/<hex>", the connection is set to
server_cert_only mode. In this mode, all leaf certificate validation
errors are currently ignored if the hash matches. This behavior was
introduced in commit 00033a0903f6 ("OpenSSL: Always accept pinned
certificates") to ignore chain validation problems [1], but it also
unintentionally ignores expiry and not-yet-valid errors on the leaf
certificate.
This patch changes the validation logic under servert_cert_only mode so
that expiry (X509_V_ERR_CERT_HAS_EXPIRED) and not-yet-valid
(X509_V_ERR_CERT_NOT_YET_VALID) errors are not ignored, while other
validation errors continue to be bypassed if the hash matches. If expiry
checks must be disabled, the existing tls_disable_time_checks option can
still be used.
OpenSSL: Leaf certificate time validity check when no CA is configured
When ca_cert_verify=0 (CA is not configured) the callback overrides all
OpenSSL errors, including time validity. Add an explicit leaf (depth 0)
check and do not override X509_V_ERR_CERT_HAS_EXPIRED/NOT_YET_VALID,
unless TLS_CONN_DISABLE_TIME_CHECKS is set.
This preserves the existing behavior of ignoring chain/issuer errors in
no-CA mode; pinning/CRL/OCSP/name checks are unchanged.
Benjamin Berg [Thu, 7 Aug 2025 11:25:57 +0000 (13:25 +0200)]
nl80211: Delay event processing during command handling
Unrelated nl80211 events may arrive while the driver is waiting for the
confirmation of another command. These events must not be delivered
immediately as they may confuse the internal state machine. They also
must be delivered, but some commands would cause them to be dropped.
Fix this up by queuing all events for later processing. Note that this
code is not very elegant as libnl does not export the nl_cb_call()
function. Add a hook into the two relevant functions that process
events. This hook will forward command replies to the correct handler
and queue the event if they should not be processed immediately.
Note that in a lot of cases this cannot happen because different nl80211
sockets are used for different purposes. However, the EAPOL frames
specifically have to be delivered over the same socket that all
connection related commands are done. So for these notifications the
race condition can happen and could cause a state confusion in
wpa_supplicant.
An example of this happening was observed in the autogo_pbc test where
wpa_supplicant would initiate a deauth and during that time also handle
an EAPOL frame that itself caused another deauthentication. This
resulted in a double free of wpa_s->current_ssid.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Ilan Peer [Tue, 5 Aug 2025 15:13:17 +0000 (17:13 +0200)]
WNM: Extend the discovery of the 6 GHz candidates
Candidates on 6 GHz channels might be collocated ones, and thus, in
order to discover them need to include the frequencies on the 2.4/5 GHz
bands.
Extend the WNM scan frequency channels to include the 2.4/5 GHz channels
in case the WNM neighbor list included candidates on the 6 GHz band.
Since such a scan can be long, optimize the case of a single channel and
instead force passive scanning.
In addition, in case the candidate validity interval is too short,
ignore the validity interval, and set it to 5 seconds, as we are
increasing the discovery time so results might not be valid once we get
them.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Avraham Stern [Tue, 5 Aug 2025 15:13:16 +0000 (17:13 +0200)]
WNM: Refactor wnm_set_scan_freqs()
Use int_array_add_unique() instead of the dedicated add_freq(), which
now can be removed. This also allows removing some local variables
that are no longer needed.
Signed-off-by: Avraham Stern <avraham.stern@intel.com> Reviewed-by: Otcheretianski, Andrei <andrei.otcheretianski@intel.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Avraham Stern [Tue, 5 Aug 2025 15:13:15 +0000 (17:13 +0200)]
Try the next AP from scan results if connection attempt fails
If connection to a selected AP fails and there are other candidates in
the BSS table and scan results are not too old, try to fast associate to
the next available candidate without triggering another full scan.
Signed-off-by: Avraham Stern <avraham.stern@intel.com> Reviewed-by: Peer, Ilan <ilan.peer@intel.com> Reviewed-by: Otcheretianski, Andrei <andrei.otcheretianski@intel.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Jouni Malinen [Mon, 6 Oct 2025 17:36:47 +0000 (20:36 +0300)]
tests: Longer sta_reassoc timeout in sigma_dut_ft_rsnxe_used_mismatch
This RSNXE Used mismatch case depended on very quick attempt to
reconnect on failure. That ends up hitting an issue with wpa_supplicant
changes, so use a longer timeout here in the negative test case.
Benjamin Berg [Tue, 5 Aug 2025 15:13:14 +0000 (17:13 +0200)]
wext: Suppress kernel generated disassoc event
wpa_supplicant already generates the event internally when
disassociating. In the case of a new association, such an event may also
be generated by the kernel for the previous connection and needs to be
ignored.
Without this fix the next commit that optimizes the scanning behavior on
connection failures would trigger an unexpected failure in the
wext_pmska_cache hwsim test.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 31 Jul 2025 13:57:02 +0000 (15:57 +0200)]
tests: Ensure chan_switch tests receive a beacon after switch
mac80211 might disconnect if the beacon is incorrect after the channel
switch due to a misconfiguration of the GO. This would happen in the
test as HT is not explicitly selected and was disabled after the switch.
The only reason the test passed was because the traffic check would
usually happen fast enough so that mac80211 had not yet processed the
first beacon.
Add a delay and a second check to ensure this error will be caught in
the future.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Ilan Peer <ilan.peer@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Thu, 31 Jul 2025 13:57:01 +0000 (15:57 +0200)]
AP: Configure channel switch in wpa_supplicant ap_switch_channel()
Without this the post-channel switch configuration is not stored and all
features (HT/VHT/HE/EHT) will be disabled after the switch. This fixes
P2P channel switching to still use HT after the switch as was announced.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Thu, 31 Jul 2025 13:57:00 +0000 (15:57 +0200)]
AP: Always verify and fix channel switch configuration
On the hostapd control interface, the CHAN_SWITCH command would do some
extra verification and also ensured that HT/VHT/HE/EHT is not being
disabled (as this is correctly supported currently). However, these
checks were missing on the wpa_supplicant side which would be used,
e.g., when a CHAN_SWITCH command is done on a GO interface.
Move these checks into the hostapd_parse_csa_settings() function to
ensure that they are correctly done in both cases. This fixes issues
where for example HT is getting accidentally disabled in a test, causing
a subsequent mac80211 disconnect. Some tests may occasionally trigger
this problem, but usually pass due to timing (this will be addressed by
a later commit).
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Johannes Berg [Thu, 31 Jul 2025 13:56:59 +0000 (15:56 +0200)]
AP: Support bandwidth changes without CSA through control interface
At least for testing, it's useful to be able to change the bandwidth
on the fly without doing a full channel switch announcement, by just
rebuilding the HT/VHT operation elements. Add support for a command
("SET_BW") to do just that.
Co-developed-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Johannes Berg [Thu, 31 Jul 2025 13:56:57 +0000 (15:56 +0200)]
AP: Create hostapd_parse_freq_params()
Split out hostapd_parse_freq_params() from hostapd_parse_csa_settings()
to be able to use it separately.
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Reviewed-by: Peer, Ilan <ilan.peer@intel.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Aaradhana Sahu [Mon, 6 Oct 2025 04:33:53 +0000 (10:03 +0530)]
nl80211: Set assoc_freq for non-AP MLD
drv->assoc_freq was not set on non-AP MLD (STA) during ML association.
As a result, the wpa_cli status command reports a frequency value of 0
for the associated non-AP MLD.
Fix this by setting drv->assoc_freq for non-AP MLD cases as well.
nl80211: Set NL80211_ATTR_WPA_VERSIONS value to use WPA3 for SAE AP
While requesting the driver to start AP operation with WPA3-SAE, netlink
attr NL80211_ATTR_WPA_VERSIONS was added with value 0x1 (WPA2) instead
of 0x4 (WPA3). Make the AP mode behavior consistent with the previously
used STA functionality with a shared helper function.
Benjamin Berg [Fri, 18 Jul 2025 11:01:02 +0000 (13:01 +0200)]
WNM: ML handling of neighbor report entries
Parse out the AP MLD MAC address and also the provided list of link IDs
using the per-STA profile when provided. If given, the MLD MAC address
will be non-zero and the same is true for the link bitmask which will be
non-zero when links have been specified.
Use this information in wnm_is_bss_excluded() to correctly limit the
links for MLD neighbor report entries. Note that this implementation may
permit more links than expected if these links are part of different
neighbor report entries. This is rarely the case, though, and should it
happen, the AP can simply reject the association on one of the links.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Fri, 18 Jul 2025 11:01:01 +0000 (13:01 +0200)]
WNM: Stop scan handling after BTM failure
If after our scan, the BSS Transition could not be performed, then still
return success so that the event handling code does not trigger a normal
BSS selection which could try to roam to a forbidden candidate.
Fixes: e508c070c40e ("WNM: Keep BTM information until connection completes") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Fri, 18 Jul 2025 11:00:59 +0000 (13:00 +0200)]
nl80211: Don't try to scan on AP interface with active links
When the kernel driver doesn't support scanning on an AP interface,
nl80211 drivers attempts to switch to station interface to perform a
scan. However, when the AP is affiliated with an AP MLD and there are
already active links this is not valid. In such a case, fail the scan.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
AP MLD: Set RSC=0 for group key handshake message 1 for MLO
Per IEEE Std 802.11be-2024, 12.7.7.2 (Group key handshake message 1),
the RSC field contains PN for the GTK for non-MLO and 0 for MLO. So for
multi-link association, avoid an explicit GTK PN fetch from the
driver/firmware and instead leave the RSC field to the initialized 0.
Signed-off-by: Sai Pratyusha Magam <smagam@qti.qualcomm.com>
As the comment in wpa_supplicant_event_disassoc_finish() says,
mac80211-based drivers use the WLAN_REASON_DISASSOC_DUE_TO_INACTIVITY
reason code in locally generated disconnection events for cases where
the AP does not reply anymore. This case does not indicate that the PSK
is wrong.
Michael-CY Lee [Tue, 22 Jul 2025 02:01:27 +0000 (10:01 +0800)]
AP MLD: Handle link_id for EVENT_RX_FROM_UNKNOWN
The AP MLD may require the "link_id" to properly handle unexpected
frames. For instance, if the AP MLD receives a Data frame from a
non-associated STA, it must send deauthentication to the link on which
the STA is operating.
Signed-off-by: Michael-CY Lee <michael-cy.lee@mediatek.com> Reviewed-by: Money Wang <money.wang@mediatek.com>
Jouni Malinen [Thu, 2 Oct 2025 20:22:56 +0000 (23:22 +0300)]
hostap: Remove the driver interface for the Host AP driver
The Host AP driver was removed from the Linux kernel two years ago and
it had been marked obsolete before (almost ten years ago). As such,
there is not really much point in maintaining any of this code in
hostapd or wpa_supplicant anymore.
Benjamin Berg [Tue, 22 Jul 2025 07:30:45 +0000 (09:30 +0200)]
test: dbus: Unregister timeout source at end of test
Using timeout_add registers the GSource with the default GMainContext.
This GMainContext will remain the same between tests, and the registered
sources will therefore not be destroyed at the end of the test and will
only be removed after they have triggered and returned False.
Change the test timeout code to use a helper and ensure the GSource is
unregistered again when the test exits. While this is not an actual
problem, it does mean that python can garbage collect the TestDbus
instance earlier as it is otherwise kept alive until the GSource is
free'ed and the reference to the timeout method has been dropped.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:29 +0000 (14:35 +0200)]
BSS: MLD: Add verification for the pairwise cipher
Check that there is a valid pairwise cipher for an EHT AP. Also verify
that each potential link has a pairwise cipher in common with the
association link.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:28 +0000 (14:35 +0200)]
BSS: Verify the ML common info for links
Add a check that the AP MLD MAC address, the link ID, the MLD
Capabilities and Operations, the Extended MLD Capabilities as well as
the EML Capabilities match between links. If this is not the case,
refuse to use the offending link.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Ilan Peer [Wed, 18 Jun 2025 12:35:27 +0000 (14:35 +0200)]
defs: Add MLE definitions for Extended MLD operations and capabilities
They will be needed later.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:26 +0000 (14:35 +0200)]
BSS: Parse ML information when updating the BSS
There is no point in re-parsing the MLE all the time if the relevant
information is being cached in the BSS anyway. As such, move the parsing
part to be done when adding/updating the BSS and add a separate function
to retrieve the links that are usable or missing in the BSS cache.
Overall, this is not going to save work, but it means that the
multi-link information in the BSS is always up-to-date and also
detangles the RNR/MLE parsing from the later runtime checks whether the
links are valid for the selected SSID.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:25 +0000 (14:35 +0200)]
BSS: Set valid_links for all links and return usable links
This commit is a preparation to better define valid_links in struct
wpa_bss and move parsing to wpa_bss_update(). Before this, the value of
valid_links would depend on whether a neighbor is known and if a struct
wpa_ssid was passed to the parser.
With this change, valid_links is purely defined on whether there is an
entry in the RNR for the corresponding link.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:24 +0000 (14:35 +0200)]
BSS: Drop AP MLD MAC address from return parameters for MLE parsing
The AP MLD MAC address is already parsed out when updating the BSS and
stored within the structure. As such, there is no point in parsing it
out again and adding a separate argument just for that.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Wed, 18 Jun 2025 12:35:23 +0000 (14:35 +0200)]
BSS: Use correct AP MLD ID
We need to be more careful about the ID used when resolving the RNR and
doing an ML probe request. The thing to keep in mind is that the AP MLD
ID is local to the reported beacon and can change depending on who is
reporting the information. On the other hand, the Multiple BSSID-Index
is static.
As such, the AP MLD ID that is local to the information should be used
for parsing the RNR. This AP MLD ID can simply be retrieved from the
Multi-Link element. However, if an AP MLD ID is not included, then it
must be assumed to be identical to the Multiple-BSSID Index element.
Note that an AP MLD ID will only ever be included if the underlying code
that does the inheritance chooses to include it in the Multi-Link
element that it inserts. This code may also rewrite the RNR entries to
ensure they match the expected value and leave out the AP MLD ID in the
Multi-Link element.
In contrast, for the purpose of sending a Multi-Link Probe Request we
need to know whether or not the AP is transmitting. For this information
we must purely rely on the Multiple-BSSID Index element.
Fixes: de5e01010cb2 ("wpa_supplicant: Support ML probe request") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
David Spinadel [Thu, 24 Jul 2025 12:00:45 +0000 (14:00 +0200)]
RRM: Don't request LCI and civic if not supported
Check that FTM responder capability bit in Extended Capabilities element
and LCI and Location Civic bits in RM Enabled capabilities element are
set before sending LCI and location civic request in neighbor report
request. If they are not set, don't include the corresponding
sub-elements in the neighbor report request. This change is according to
IEEE Std 802.11-2024, 11.10.10.2 (Requesting a neighbor report).
Signed-off-by: David Spinadel <david.spinadel@intel.com> Signed-off-by: Benjamin Berg <benjamin.berg@intel.com> Reviewed-by: Peer, Ilan <ilan.peer@intel.com>
Add a get() function for the global freq_list configuration value. This
allow `wpa_cli dump` and `wpa_cli get freq_list` return the current
value. If the value isn't set, the `wpa_cli dump` will output
"freq_list=null" and `wpa_cli get freq_list` will fail, similar to STR()
values.
Signed-off-by: Clemens Famulla-Conrad <cfamullaconrad@suse.com>
Add a get() function for the global bgscan configuration value. This
allow `wpa_cli dump` and `wpa_cli get bgscan` return the current value.
If the value isn't set, the `wpa_cli dump` will output "bgscan=null" and
`wpa_cli get bgscan` will fail, similar to STR() values.
Signed-off-by: Clemens Famulla-Conrad <cfamullaconrad@suse.com>
Benjamin Berg [Fri, 1 Aug 2025 07:47:16 +0000 (09:47 +0200)]
tests: Fix mbo_assoc_disallow on old tshark
Older tshark seems to be a bit inconsistent. It returns the timestamp
with a timezone qualifier, but then doesn't accept it when passed in the
same format. Use the frame number instead of the timestamp to work
around that.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
wpa_supplicant: Bump DEFAULT_BSS_MAX_COUNT to 1000
Many congested areas have more than 200 APs in range of a typical
device. When the number of APs exceeds BSS_MAX_COUNT, even nearby APs
can be absent from the scanning device's AP list. Bump the default to
1000 to be more in line with a realistic modern maximum number of APs in
a given area.
RRM: Do not set DELAYED_BA and IMM_BA bits in neighbor report
The bits `Delayed Block Ack` and `Immediate Block Ack` in the
Capabilities subfield of the Neighbor Report element became reserved
bits between IEEE Std 802.11-2016 and IEEE Std 802.11-2020. Do not set
those reserved bits.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
Add support for null encryption (ENC_NULL) in IKEv2, as described in RFC
2410.
Implement the null cipher by reusing the OpenSSL EVP_enc_null()
function, adding support for ENC_NULL in both encrypt and decrypt
operations.
As specified in RFC 2410:
- The cipher does not use an IV, so an explicit check prevents
a potential floating point exception.
- Padding is not required; so a pad length field with value 0
is appended to the ciphertext.
Null encryption can be useful for (1) debugging purposes and (2)
supporting emerging scenarios, such as 5G networks, where the TNGF
(Trusted Non-3GPP Gateway Function) leverages IKEv2 with null
encryption.
Tested with Free5GC (v4.0.1) using wpa_supplicant.
NAN USD: Fix state machine stall seen with listen failure
If the driver returns -EBUSY for remain_on_channel operation, NAN USD
state-machine gets stuck and no further listen is configured from
wpa_supplicant. Clear the states and re-triggers the nan_de_timer to
restart the listen operation in such case.
In virtual AP mode, driver nl80211 did not handle RTM link events for
non-first BSSs. This leads to the situation when the non-first BSS does
not move into DOWN/UP/LOWER_UP state when netlink reports it and the
interface is left in NO-CARRIER state (e.g., after CAC finished). Also
fix ifindex updating for non-first BSS when it changes, for example,
after rmmod/insmod a wireless driver.
Signed-off-by: Alexander Savchenko <oleksandr.savchenko.dn@bp.renesas.com>
Muna Sinada [Mon, 9 Jun 2025 18:06:16 +0000 (11:06 -0700)]
VLAN: Use VLAN group keys for EAPOL frames and FT reassoc for MLO
When MLO Dynamic VLAN is enabled and non-AP MLDs in a VLAN group are
exchanging EAPOL messages, the AP MLD was providing the primary
authenticator's GTKs instead of the VLAN's GTKs. This results in STAs
being unable to decrypt the VLAN's multicast frames due to incorrect
keys.
In wpa_auth_ml_get_key_info(), if vlan_id is provided, traverse through
the wpa_group list and select the one that matches the vlan_id. From the
matched wpa_group, the correct GTKs are taken.
Similarly in the case of FT + MLO + Dynamic VLAN, handle selecting
VLAN's wpa_group for the FT protocol Reassociation Response frame.
Muna Sinada [Mon, 9 Jun 2025 18:06:15 +0000 (11:06 -0700)]
VLAN: Enable Dynamic VLAN for MLO
Enable Dynamic VLAN for Multi-Link Operation (MLO) in hostapd.
When Dynamic VLAN is enabled for AP MLD (Multi-Link Device), VLAN
list will be maintained in the first BSS (Basic Service Set).
Key changes include:
- Access the VLAN list from the first BSS for the AP MLD.
- When setting Group Temporal Key (GTK) per link, reference the
first BSS for the VLAN list.
- Pass the first BSS when calling functions that iterate through the
VLAN list such as vlan_add_dynamic() and vlan_remove_dynamic().
Benjamin Berg [Mon, 23 Jun 2025 11:28:11 +0000 (13:28 +0200)]
AP MLD: Never keep a per-link wpa_sm
The __checK_assoc_ies() function needs to create a per-link wpa_sm
temporarily. However, later on sta->wpa_sm should just be a reference to
the main wpa_sm.
Change the code so that the temporary state is self-contained to
__check_assoc_ies(). This fixes a memory leak should __check_assoc_ies()
return an error.
Also change the function to pass the wpa_sm for the assoc_link instead
of just a link boolean. The internal lookup appears to not have worked
and this also simplifies the code.
Fixes: 5f5db9366cde ("AP: MLO: Process Multi-Link element from (Re)Association Request frame") Fixes: 84d2a36da02a ("AP MLD: Require same AKM and pairwise cipher for all links") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Benjamin Berg [Thu, 26 Jun 2025 08:51:24 +0000 (10:51 +0200)]
tests: Disable IPv6 in protected keep-alive test
When the new protected_keep_alive test was added, the @disable_ipv6
decorator was not moved. Disable IPv6 for both keep alive tests by
moving it to the run_ function.
Also remove the @remote_compatible decorator as it does not work with
IPv6 disablement. It was not removed in the patch to disable IPv6 in the
original test.
Fixes: fdf23679f823 ("tests: More coverage for WNM BSS max idle period management") Fixes: 1bd5e35b8733 ("tests: Disable IPv6 in WNM keep-alive test") Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
If you have two peers using wpa_supplicant, right now the client can get
both the GO interface and device addresses, but you can't know your own
device address. Knowing your own device address is useful to coordinate
to the GO and map the interface address to a Peer object once the P2P
connection has been established.
This is already exposed, in a round-about way, via the "PeerGO" property
of the P2PDevice interface.
However, that is rather broken, in the sense that it logically doesn't
belong there, (see the docs which already point it out), and also in the
sense that wpa_supplicant doesn't notify when the property changes,
which confuses clients which cache DBus properties (all of them?).
Instead, expose the GO dev address directly. This is useful to be able
to map back from the group to the GO's peer object (or self).
I didn't manage to get the hwsim tests running on my machine, though
testing this should be trivial-ish. I did test this manually, too...
P2P: Update wpa_s->go_dev_addr on GO during group started notification
Some of the sequences for starting a GO did no update
wpa_s->go_dev_addr. Set that here to keep things more consistent when
this variable gets exposed externally.
AP: Check a STA is HE before copying EHT/6 GHz capabilities
A EHT STA and/or a 6 GHz capable STA is a HE STA. If a STA has an
invalid HE capabilities, the HE capability of the STA is deactivated but
the EHT/6 GHz capability is still activated and their elements copied.
Deactivate the EHT/6 GHz capability of a STA if it is not a HE STA.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
AP: Check a STA is VHT before copying VHT operation element
If a VHT STA has an invalid VHT Capabilities element, the VHT capability
of the STA is deactivated but the VHT operation element might still be
copied without the VHT Capabilities element being present.
Only copy the VHT operation element if a STA is VHT.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
AP: Check a STA is HT before copying VHT capabilities
A VHT STA is a HT STA. If a VHT STA has an invalid HT Capabilities
element, the HT capability of the STA is deactivated but the VHT
capability is still activated and the element copied.
Deactivate the VHT capability of a STA if it is not a HT STA.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
Johannes Berg [Thu, 28 Aug 2025 12:15:00 +0000 (14:15 +0200)]
wpa_debug: Prefer tracefs over debugfs
With Linux 6.17, having /sys/kernel/debug/tracing/ is now optional
(CONFIG_TRACEFS_AUTOMOUNT_DEPRECATED), since tracefs has been around for
a long time. Prefer tracefs when finding the trace_marker file.
Note the "!buf[0]" condition which serves to keep the logic identical to
before when tracefs isn't present, using the first debugfs rather than
the last. That is not likely to matter, but still.
Also mount tracefs in the scripts for running in VMs.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
AP: Fix Supported EHT-MCS And NSS Set field advertisement
The current implementation incorrectly derives the 'Supported EHT-MCS and
NSS Set' field based on the operating HE bandwidth. This is inaccurate, as
the field is part of the EHT Capabilities element and should represent the
full hardware capabilities, not the current operating configuration.
Runtime parameters already have dedicated fields within the EHT Operation
element for their representation.
Hence, resolve the issue by referencing the bandwidth from the HE PHY
Capabilities and using it to correctly derive the Supported EHT-MCS and NSS
Set values.
The current implementation incorrectly derives the 'Supported Channel
Width Set' in the HE PHY Capabilities Information field based on the
operating bandwidth. This, in turn, affects the advertisement of the
'Supported HE-MCS and NSS Set' field. Such behavior is flawed, as
capability advertisement should reflect the full hardware capabilities,
not the current operating configuration. Runtime parameters already have
designated fields in the HE Operation element for their representation.
Hence, fix this now by using the HE PHY Capabilities and Supported
HE-MCS and NSS Set values as advertised by the driver.
AP: Do not set reserved bits in HE Capabilities elements
Currently, bits are set in the Supported Channel Width Set subfields in
the HE Capabilities elements regardless of the current band. However,
IEEE Std 802.11ax-2021, Table 9-322b indicates that some bits are
reserved depending on the current band. Convention states that reserved
bits shall be set to zero unless otherwise stated.
Set bits according to current band and supported widths.
Signed-off-by: Pablo Martin-Gomez <pmartin-gomez@freebox.fr>
QCA vendor attribute to allow P2P SCC with STA connected DFS channel
Define config attributes to support STA connected DFS channel for P2P.
Add a new feature flag
@QCA_WLAN_VENDOR_FEATURE_SUPPORT_STA_DFS_CH_SCC_P2P for the driver to
indicate STA connected DFS channel SCC support.
Karthik M [Thu, 25 Sep 2025 07:31:15 +0000 (13:01 +0530)]
AP MLD: Fix SA query timeout during MLD reassociation
If an AP MLD receives a (Re)Association Request frame from an associated
non-AP MLD and if SA query has already timed out for the existing
station entry, the link address should be updated since the non-AP MLD
might have changed its link address in the new association.
Signed-off-by: Karthik M <karthik.m@oss.qualcomm.com>
Karthik M [Thu, 25 Sep 2025 07:31:14 +0000 (13:01 +0530)]
AP MLD: Add Timeout Interval element for MLD reassociation rejection
The AP MLD with an associated non-AP MLD receiving an (Re)Association
Request frame that uses the same MLD MAC address as that of the
associated non-AP MLD may reject association temporarily and include the
Timeout Interval element to indicate the association comeback time.
However, the Timeout Interval element is not included currently as
mld_addrs_not_translated flag is true in this case which causes NULL sta
object to be passed to send_assoc_resp().
Fix this by not setting mld_addrs_not_translated if the station is found
in the same link where an (Re)Association Request frame is received, so
that the Timeout Interval element is added into the (Re)Association
Response frame when requesting association comeback.
Signed-off-by: Karthik M <karthik.m@oss.qualcomm.com>
AP: Ignore radar event when frequency range is mismatched
In split-MAC enabled cases, radar events which don't have the interface
ID set (like NOP_FINISHED) will be sent to matching 5 GHz frequency BSSs
if the AP MLD has a 5 GHz link. Though, the frequency info is not
matching that of the event received, the event gets currently parsed for
these cases as well. Because of this, other applications might
misinterpret the event wrongly for other interface as well.
Address this by checking that the frequency info received lies within
the interface start and end frequency, and ignore the event if it
doesn't match the interface frequency range.
PASN: Reorder elements in PASN Authentication frames per IEEE 802.11
Reorder the elements in the PASN Authentication frame body to comply
with the order defined in IEEE Std 802.11-2024, Table 9-70
(Authentication frame body). Previously, the PASN Parameters element was
placed before the Wrapped Data element and RSNXE, which violated the
required ordering.
AP MLD: Deinitialize BSS link on interface setup failure
Fix a segmentation fault in hostapd when interface setup fails in
hostapd_add_iface() due to invalid channel information. In this case,
the driver is deinitialized but the BSS link is not, leading to a crash
when the interface is brought down and up during stability testing.
Deinitialize the BSS link if interface setup fails to ensure proper
cleanup and prevent the crash.
projects / thirdparty / hostap.git / log
