AP/MLO: Forward Management frame TX status to correct BSS
In case of MLO AP and legacy client, make sure Management frame TX
status is processed on the correct BSS.
Since there's only one instance of i802_bss for all BSSs in an AP MLD in
the nl80211 driver interface, the link ID is needed to forward the
status to the correct BSS. Store the link ID when transmitting
Managements frames and report it in TX status.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
In case of MLO AP and legacy client, make sure EAPOL TX status is
processed on the correct BSS.
Since there's only one instance of i802_bss for all BSSs in an AP MLD in
the nl80211 driver interface, the link ID is needed to forward the EAPOL
TX status to the correct BSS. Store the link ID when transmitting EAPOL
frames over control interface and report it in TX status.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Mon, 22 May 2023 19:34:04 +0000 (22:34 +0300)]
MLO: Add MLO KDEs to EAPOL-Key msg 1/2 of the group handshake
This provides the link specific group keys and last used PN/IPN/BIPN
values to the Supplicant in the MLO KDEs instead of the KDEs used for
non-MLO cases.
Ilan Peer [Mon, 22 May 2023 19:34:03 +0000 (22:34 +0300)]
MLO: Validate MLO KDEs in EAPOL-Key msg 4/4
Verify that the MLD address in EAPOL-Key msg 4/4 is set correctly for
MLO cases. Note that the mechanism used here for distinguishing between
EAPOL-Key msg 2/4 and 4/4 is not exactly ideal and should be improved in
the future.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
This provides the link specific group keys and last used PN/IPN/BIPN
values to the Supplicant in the MLO KDEs instead of the KDEs used for
non-MLO cases.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
MLO: Store MLO link information in RSN Authentication
Make the MLO related information available for the RSN Authenticator
state machine to be able to perform steps needed on an AP MLD. The
actual use of this information will be in the following commits.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
EAPOL frames may need to be transmitted from the link address and not
MLD address. For example, in case of authentication between AP MLD and
legacy STA. Add link_id parameter to EAPOL send APIs.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Mon, 22 May 2023 19:33:52 +0000 (22:33 +0300)]
AP: Handle Management frame TX status for AP MLD address
This allows proper TX status handling when MLD addressing is used for
Management frames. Note, that the statuses are still not forwarded to
the correct link BSS. This will be handled in later commits.
AP: MLO: Add Multi-Link element to (Re)Association Response frame
Add the full station profile to the Multi-Link element in the
(Re)Association Response frame. In addition, use the AP MLD's MLD MAC
address as SA/BSSID once the non-AP MLD has been added to the driver to
use address translation in the driver.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
AP: MLO: Process Multi-Link element from (Re)Association Request frame
Implement processing of the Multi-Link element in the (Re)Association
Request frame, including processing of the Per-STA Profile subelement.
After handling the basic parsing of the element and extracting the
information about the requested links, handle the link specific
processing for each link:
- Find the interface with the corresponding link ID.
- Process the station profile in the interface.
- Prepare the Per-STA Profile subelement to be included in the
Multi-Link element in the (Re)Association Response frame.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
AP: MLO: Handle Multi-Link element during authentication
In case the AP is an AP MLD, parse the Multi-Link element from the
Authentication frame, store the relevant information, and prepare the
response Multi-Link element.
If the AP is not an AP MLD or the parsing of the element fails, continue
the authentication flow without MLD support.
For SAE, it is needed to skip various fixed fields in
the Authentication frame. Implement it for SAE with H2E.
TODO: This should be extended to other authentication algorithms which
are allowed for MLD connections and have fixed fields in the
Authentication frames, according to IEEE P802.11-REVme/D3.0, Table 9-69
(Presence of fields and elements in Authentications frames).
This commit doesn't support FILS, FT, etc.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Mon, 22 May 2023 19:33:40 +0000 (22:33 +0300)]
AP: Match received Management frames against MLD address
Once a station is added to the underlying driver, the driver is expected
to do address translation and use MLD addresses. Thus, when handling a
received Management frame, match it against the MLD address.
Ilan Peer [Mon, 22 May 2023 19:33:39 +0000 (22:33 +0300)]
AP: MLO: Make IEEE 802.1X SM, authserv, and RADIUS client singletons
To simplify the handling of MLD stations, assume that all
interfaces/BSSs use the same IEEE 802.1X authenticator, the same RADIUS
server instance, and the same RADIUS client.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
Ilan Peer [Mon, 22 May 2023 19:33:37 +0000 (22:33 +0300)]
AP: Include an RNR element in Beacon frames for AP MLD
- Include RNR element in Beacon frames of AP MLDs.
- Whenever a new interface is added to an AP MLD, reconfigure
the Beacon frame templates for all other interfaces, to allow
updating their RNR elements.
Ilan Peer [Mon, 22 May 2023 19:33:34 +0000 (22:33 +0300)]
driver: Allow to provide a link ID when setting a channel
This includes:
- Modifications of the driver API, to include the link ID as part
of 'struct hostapd_freq_params'.
- Modifications to nl80211 driver.
- Modifications for the driver wrappers.
Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
AP: Allow starting multiple interfaces within single MLD
Add support for including multiple hostapd interfaces in the same AP
MLD, i.e., all using the same underlying driver network interface.
To do so, when a new hostapd interface is added, if there is already
another interface using the same underlying network interface, associate
the new interface with the same private data object, instead of creating
a new one.
As some of the BSSs are non-first BSSs, meaning that they reuse the
drv_priv of the initial BSS, make sure not to double free it.
Currently multiple BSS entries are not supported so always use bss[0]
for MLD.
Signed-off-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com> Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Benjamin Berg [Mon, 22 May 2023 19:33:29 +0000 (22:33 +0300)]
nl80211: Rename the per iface-type capabilities struct
We will start using this structure to also track MLD related
capabilities instead of just extended capabilities. As such, give the
structure a more generic name.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Jouni Malinen [Tue, 6 Jun 2023 14:02:51 +0000 (17:02 +0300)]
tests: Fix the previous update of the regulatory database to VMs
The last update of the wireless-regdb database to the wireless-regdb.git
version of 2023-02-13 in commit c4034a69fea1 ("tests: Update regulatory
database to VMs") forgot to update regulatory.db.p7s. Update it as well.
Pooventhiran G [Tue, 14 Mar 2023 06:05:41 +0000 (11:35 +0530)]
AP: Handle 6 GHz AP state machine with NO_IR flags
AP cannot come up in channels that are marked as NO_IR. If AP moves to
HAPD_IFACE_DISABLED state, it will deinitialize the nl80211 driver
interface and sockets.
Hence, introduce a new state called HAPD_IFACE_NO_IR, for 6 GHz APs to
handle NO_IR scenarios, such as AFC, where the channels not allowed by
AFC will have HOSTAPD_CHAN_NO_IR flag set. In this state, AP is still
kept in a non-operational state (stopped) without deinitializing the
nl80211 driver interface. wiphy reg change event can then update the
channels and bring up the AP in a valid channel.
Signed-off-by: Pooventhiran G <quic_pooventh@quicinc.com>
Define a QCA vendor command to configure MLO link id for TDLS
Define a QCA vendor command to configure MLO link id to the driver on
which the TDLS discovery response frame needs to be transmitted when the
local station is connected in MLO mode. This command is configured to
the driver the prior to every TDLS discover frame transmission when the
station is connected in MLO mode. If the station is connected in non-MLO
mode this command is not configured to the driver for TDLS discovery
frame transmission.
PASN: Introduce configuration option to allow/deny PASN-UNAUTH
Per IEEE P802.11az/D7.0, 12.12.3.2 (PASN Frame Construction and
Processing), responder should REFUSE PASN authentication frame 1 with
Base AKM as PASN AKM if dot11NoAuthPASNActivated is false. That
configuration was not previously available and hostapd was hardcoded
with dot11NoAuthPASNActivated being true.
Allow this to be configured and reject PASN authentication frame 1 from
initiator if pasn_noauth=0 and Base AKM in RSNE of this frame is PASN.
The default value for pasn_noauth is 1 to maintain previous
functionality even though the dot11NoAuthPASNActivated is defined to
have default value of false.
Signed-off-by: Sai Pratyusha Magam <quic_smagam@quicinc.com>
Ainy Kumari [Thu, 25 May 2023 11:19:14 +0000 (16:49 +0530)]
Increase MAX_NL80211_NOISE_FREQS in survey dump handler for 6 GHz
The current value of 50 is not sufficient for getting survey info for
all the frequencies when the 6 GHz band is enabled. Increase the limit
to 100 to be able to receive survey info for 6 GHz frequencies also.
MLD STA: Use AP MLD address as previous BSSID for reassociation requests
The Linux kernel expects to use the AP MLD address in
NL80211_ATTR_PREV_BSSID for reassociation requests when the current
association is MLO capable.
Previously, wpa_supplicant was using the BSSID value in
NL80211_ATTR_PREV_BSSID even if the connection is MLO capable. Fix this
by sending the AP MLD address in NL80211_ATTR_PREV_BSSID for
reassociation requests when MLO is used.
MLD STA: Allow auth frames without ML IE for failure status codes
In some cases like unknown-group rejection, AP MLD can't parse the
received Authentication frame to the point of the Multi-Link element if
the group used by the peer is unknown to the AP MLD.
In such cases, AP MLD not including Multi-Link element in rejection
Authentication frames can be considered as standard compliant since AP
MLD doesn't know whether the received Authentication frame has
Multi-Link element or not.
To avoid connection issues in such cases, don't reject Authentication
frames without Multi-Link element when status code is other than
WLAN_STATUS_SUCCESS, WLAN_STATUS_SAE_HASH_TO_ELEMENT,
WLAN_STATUS_SAE_PK, and WLAN_STATUS_ANTI_CLOGGING_TOKEN_REQ.
Store pmk_r1_name derived with wpa_ft_local_derive_pmk_r1() properly
The parameter req_pmk_r1_name was not used at all in the function
wpa_ft_local_derive_pmk_r1(). In addition, the PMK-R1-NAME should be
updated in this function along with the PMK-R1. This means the parameter
should change from "req_pmk_r1_name" to "out_pmk_r1_name" to match the
design used for other paths that derive the PMK-R1.
sm->pmk_r1_name needs to be properly updated when pmk_r1_name is derived
from the local pmk_r0.
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Do prune_association only after the STA is authorized
Prune-associations should be done only after the new station is
authorized. Otherwise any STA can cause denial of service to connected
stations in PMF case when more than a single interface is being
controlled by the same hostapd process.
Signed-off-by: Adil Saeed Musthafa <quic_adilm@quicinc.com>
Add a new driver feature flag for enhanced audio experience over WLAN
Add QCA_WLAN_VENDOR_FEATURE_ENHANCED_AUDIO_EXPERIENCE_OVER_WLAN in
enum qca_wlan_vendor_features to indicate the device supports enhanced
audio experience over WLAN feature.
Also, update the documentation where other subcommand(s) or attribute(s)
require this new feature flag. These subcommand(s) and attributes are
under development and would be restricted to the supported drivers
advertising QCA_WLAN_VENDOR_FEATURE_ENHANCED_AUDIO_EXPERIENCE_OVER_WLAN.
As such, it is still acceptable to introduce a new requirement for the
previously defined interface.
Add vendor attributes for forcing MLO power save and STR TX
Add vendor attributes for EHT testbed STA configuration.
This includes enabling STR MLMR mode and forcing power save
on active MLO links for a defined number of beacon periods.
Add vendor attributes for EHT OM control, EMLSR padding delay
Add vendor attributes related to MLO and EMLSR mode
capability configuration for EHT testbed STA. It includes
EHT OM control support and EMLSR padding delay configuration.
Also, generalise the naming of HE OMI control enumeration to
OMI control as it now consists of both HE and EHT OMI control
fields.
Jouni Malinen [Thu, 4 May 2023 07:18:34 +0000 (10:18 +0300)]
Do not disconnect EAPOL-Logoff before authentication
Some station devices are apparently sending the EAPOL-Logoff message in
some cases before the initial authentication for WPA2/WPA3-Enterprise.
hostapd would have forced a "post EAP-Failure" disconnection in 10 ms
for such cases while still allowing the EAP authentication to try to
complete.
This is not ideal and could result in interoperability issues, so skip
the forced disconnection in the particular case where the EAPOL-Logoff
message is received before the first authentication is completed.
In addition, disconnect the STA without starting new EAP authentication
and the 10 ms delay if an EAPOL-Logoff message is received after
authentication has been completed successfully. This results in cleaner
behavior by avoiding the extra start of a new EAP authentication in a
case where the STA is going to be disconnected shortly.
Jintao Lin [Thu, 20 Apr 2023 21:36:40 +0000 (21:36 +0000)]
wpa_supplicant: Skip scan before starting a BSS in AP mode
When starting a new BSS as AP mode, the network configs have been passed
in from the BSS config. There is no need to scan before creating a new
BSS. Reuse connect_without_scan structure member to bypass scan when the
mode is WPAS_MODE_AP.
Signed-off-by: Jintao Lin <jintaolin@chromium.org>
Nick Hainke [Tue, 14 Mar 2023 21:17:19 +0000 (22:17 +0100)]
wpa_supplicant: Fix compiling without IEEE8021X_EAPOL
If IEEE8021X_EAPOL is not defined wpa_supplicant will not compile with
following error:
events.c: In function 'wpa_supplicant_connect':
events.c:1827:14: warning: implicit declaration of function 'eap_is_wps_pbc_enrollee' [-Wimplicit-function-declaration]
1827 | if ((eap_is_wps_pbc_enrollee(&ssid->eap) &&
| ^~~~~~~~~~~~~~~~~~~~~~~
events.c:1827:43: error: 'struct wpa_ssid' has no member named 'eap'
1827 | if ((eap_is_wps_pbc_enrollee(&ssid->eap) &&
| ^~
Add ifdef statements around the calling function to fix the issue.
Andrew Pope [Wed, 19 Apr 2023 03:12:30 +0000 (13:12 +1000)]
DPP: Remove argument requirement for DPP push button command
The hostapd_cli command to initiate DPP push button mode mandates at
least one argument to be provided. Arguments provided to the command
are used to optionally supply configuration options when running in
this mode. They are not strictly required for DPP push button mode to
start. This patch removes the min requirement check on the command.
Signed-off-by: Andrew Pope (andrew.pope@morsemicro.com)
Add vendor attributes for MLO link active, EMLSR entry/exit
Add vendor attributes related to MLO and EMLSR mode
capability configuration for EHT DUT. This includes forcing
active MLO links and invoking EMLSR mode entry or exit.
Some of the information elements added in IEEE Std 802.11ax-2013 for VHT
purposes have since then been taken into use for other cases and renamed
to remove the "VHT" prefix in the standard. Update the defines for those
elements in the implementation to match the names used in the current
standard.
hostapd: Support channel switch to 320 MHz channels
Add validatation of center frequency, and filling of appropriate
bandwidth in the channel switch wrapper when the channel switch is done
to a 320 MHz channel.
Use the op_class configuration to determine whether to select the 5 GHz
or 6 GHz mode for ACS. Without this, the first mode (5 GHz in most
cases) would have been selected regardless of the op_class value.
Fix 40 MHz channel bringup with ACS on the 6 GHz band
When AP is brought up in HE40/EHT40 with ACS, the AP comes up with 20
MHz bandwidth. It is expected to come up with 40 MHz bandwidth.
conf->secondary_channel does not hold the correct value and it leads to
choosing 20 MHz in hostapd_set_freq_params(). conf->secondary_channel is
filled using the hostapd config he_oper_centr_freq_seg0_idx. When AP is
configured to use ACS, the hostapd config he_oper_centr_freq_seg0_idx is
not valid as the channel is not known during bring up. So using the
config he_oper_centr_freq_seg0_idx to fill the conf->secondary_channel
does not work with ACS.
Use op_class to determine the bandwidth and based on the bandwidth fill
the conf->secondary_channel to address this ACS case.
Signed-off-by: Hari Chandrakanthan <quic_haric@quicinc.com>
Allow MLO disabled connection to legacy open/WPA2-Personal-only AP MLDs
wpa_supplicant was skipping MLD APs from network selection when the AP
advertise legacy open, WPA2-Personal-only (PSK without SAE), or PMF
disabled. However, there are already some early Wi-Fi 7 APs in the
market which advertise legacy open, WPA2-Personal-only, or PMF disabled
even though these combinations are unlikely to be allowed for Wi-Fi 7 in
the end.
To avoid connectivity issues with such APs, allow stations to connect
with MLO disabled when an AP MLD is detected to advertise legacy open,
WPA2-Personal-only (PSK without SAE), or PMF disabled.
This reverts commit 7d8b96dcfdbb ("wpa_supplicant: Apply same
restrictions for MLD as for 6 GHz BSS") except WEP and TKIP checks,
i.e., AP MLDs which advertise only WEP or TKIP are still skipped from
network selection.
For the SME-in-wpa_supplicant case, skip configuring MLD parameters to
the driver if the STA can connect only in legacy open,
WPA2-Personal-only, or PMF disabled mode. For the SME-in-driver case, it
is the driver's responsibility to initiate connection with MLO disabled
with such APs.
Update AP RSNE/RSNXE to RSN state machine on driver-selected BSS cases
The driver-initiated BSS selection case and the "Network configuration
found for the current AP" case ended up clearing the RSN state machine
information on AP RSNE/RSNXE. That could result in incorrect behavior if
some key management operations depended on accurate information. For
example, this could result in not deriving the KDK as part of the PTK
derivation and failing to complete 4-way handshake if both the AP and
the STA indicated support for Secure LTF.
If the scan results for the selected BSS are available, use those to
update the RSN state machine AP RSNE/RSNXE similarly to the way this is
done with wpa_supplicant selects the BSS instead of clearing that
information in the RSN state machine.
tests: KDK derivation based on Secure LTF capability
This adds more production-like testing coverage for KDK derivation. Both
SAE and OWE transition mode are covered. The latter has some corner
cases that did not work correctly previously.
OWE: Update transition mode information on selecting a new BSS
It is possible for a new BSS entry to be added for the
hidden-SSID-OWE-BSS when running a new scan after having previously
learned the hidden SSID during a previous OWE connection attempt. That
new entry would not necessarily have the WPA_BSS_OWE_TRANSITION flag set
and that would result in not being able to recognize the appropriate OWE
profile when checking the association event against the transition mode
configuration.
Fix this by updating the BSS entry for OWE transition mode information
for the cases where this might happen.
Fix determining mode for 6 GHz band when using hw_mode=any
When 6 GHz band is specified and hw_mode parameter is set to any,
hostapd_determine_mode() may determine the wrong mode because there are
two hw modes (5 GHz and 6 GHz) with HOSTAPD_MODE_IEEE80211A. This will
cause 6 GHz AP to fail to start. Fix this by adding a check similar to
the changes in commit 99cd453720d6 ("hw_feature: Correctly select mode
in case of the 6 GHz band") into hostapd_determine_mode().
Add support to fetch link layer stats per MLO link
IEEE 802.11be enables multiple links between STA and AP. Each of the
link has its own set of statistics. Add additional attributes required
to fetch link layer statistics per MLO link.
For MLO connection, per MLO link statistics will be sent with the new
attribute QCA_WLAN_VENDOR_ATTR_LL_STATS_MLO_LINK. Also, cumulative
statistics of all the MLO links will be sent outside
QCA_WLAN_VENDOR_ATTR_LL_STATS_MLO_LINK to be compatible with legacy user
space.
For non-MLO connection, the statistics will be sent without being nested
inside QCA_WLAN_VENDOR_ATTR_LL_STATS_MLO_LINK attribute.
Fix vendor attribute numbering and relocate attribute accordingly
The attributes QCA_WLAN_VENDOR_ATTR_LL_STATS_PAD and
QCA_WLAN_VENDOR_ATTR_LL_STATS_IFACE_NF_CAL_VAL were allocated the same
attribute number in error. QCA_WLAN_VENDOR_ATTR_LL_STATS_PAD attribute
is known to not be used; thus, it is safe to be renumbered.
Chunquan Luo [Wed, 19 Apr 2023 11:28:06 +0000 (04:28 -0700)]
Add a vendor specific roam status of background scan abort
When user space triggers a scan, the firmware aborts background scan,
and uses the roam status QCA_ROAM_FAIL_REASON_CURR_AP_STILL_OK instead
of "Invalid roam failures reason".
Signed-off-by: Chunquan Luo <quic_chunquan@quicinc.com>
MLD STA: Do not fail on unknown IEs in Authentication frames
Fail MLD address validation only if Authentication frames IE parsing
actually failed, i.e., ignore all unknown IEs.
This is needed to avoid authentication failure when the Authentication
frames include IEs which are not handled by ieee802_11_parse_elems(),
e.g., AKM Suite Selector IE.
Xin Deng [Tue, 11 Apr 2023 10:24:58 +0000 (18:24 +0800)]
hostapd: Restore the flow of set beacon and WPA key init
hostapd start AP flow changed in commit 931e5d4f9e2e. However, that
could cause a regression in a legacy AP driver where the set key
operation for GTK, IGTK, and BIGTK before AP start (set beacon) would
cause the driver to ignore the key set command. Restore the flow of the
set beacon and WPA key init operations to make sure drivers can receive
and set group keys correctly.
Fixes: 931e5d4f9e2e ("mbssid: Configure all BSSes before beacon setup") Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
Export wpa_supplicant config item 'he' for external configuration
Export the "he" network profile item to be configurable from external
client side, like wpa_cli or NetworkManager. This follows the earlier
changes to allow the previously internal-only parameter (e.g., vht) to
be used for additional purposes for AP mode.
Allowed frequency list configuration for AP operation
Add support to configure the allowed frequency list for AP operation
using a QCA vendor interface before NL80211_CMD_NEW_BEACON/
NL80211_CMD_START_AP. hostapd generates the allowed frequency list by
intersecting user configured frequency list and all the frequencies
advertised by the driver including disabled channels. If user doesn't
specify allowed frequency list, all the frequencies advertised by the
driver, including disabled channels, will be configured.
At least some of the previous versions have expired, so need to re-sign
these to avoid EAP test case failures. This contains updates from
running tests/hwsim/auth_server/update.sh.
projects / thirdparty / hostap.git / log
